CISA delivers status update to critical infrastructure sector, as adoption of NCF Framework continues

NCF Framework

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a status update addressing the critical infrastructure sector, and informing stakeholders of the progress made on the main activities of the National Critical Functions (NCFs). It also provided details on the progress made to advance federal implementation of the NCF Framework. 

The NCF Status Update details the progress made over the past year to further break down all 55 NCFs to their primary and secondary sub-function levels. This decomposition work is essential to identifying and analyzing where those risks that could have national-level consequences exist. It also details CISA’s work to advance federal implementation of the NCF Framework through the establishment of a new working group. The update also throws light on how the development of Risk Architecture, a technology-enabled tool that will enhance CISA’s risk analysis capabilities, is progressing.

NCFs refer to the critical functions of government and the private sector that are vital and their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The NCF Framework uses an asset-centric approach to better assess how failures in key systems, assets, components, and technologies may cascade across sectors and the overall impacts to the nation. This enables better target risk response and mitigation efforts that will support the greatest reduction in risks to national security, economic security, public health and safety, and public confidence. 

At the agency’s first meeting of the Cybersecurity Advisory Committee last week, an independent body established to advise and provide recommendations on how to enhance the nation’s cyber defense, the importance of reducing systemic risk to the NCFs was a key topic.

“Over the past 12 months, we have made significant progress with the NCFs, and would like to provide the critical infrastructure community with an overview on what we have done and where we would like to go moving forward to enhance our Nation’s critical infrastructure risk management capabilities,” Bob Kolasky, assistant director at the CISA NRMC, wrote in a memorandum providing the status update on the NCFs. 

“As we move forward, the NRMC will continue to further mature, refine, and operationalize the NCF Framework to identify, prioritize, and mitigate national level risks in partnership with the Federal Senior Leadership Council (FSLC) and critical infrastructure partners,” Kolasky added. “This will include informing and reinforcing CISA priorities and strategic mitigation capabilities like the Joint Cyber Defense Collaborative (JCDC),” he added.

CISA, through the National Risk Management Center (NRMC), brings the private sector, government agencies, and other stakeholders together to identify, analyze, prioritize, and manage significant risks, such as cyber, physical, and supply chain, to these critical functions. It works in a targeted, prioritized, and strategic manner to improve the resilience across the nation’s critical infrastructure. 

The NRMC developed the NCF Risk Management Framework that allows for a more robust prioritization of critical infrastructure and a systematic approach to corresponding risk management activity. It enables a greater understanding of how entities come together to produce NCFs and how failures in the key systems, assets, components, and technologies that produce or deliver an NCF may cascade across sectors and industries.

The NRMC uses the NCFs as a framework and reference point for where it should focus on critical infrastructure risk assessment, CISA said. The status update lists six categories of risk assessments that NRMC performs, although the NCFs may be used in other contexts as well. The categories include setting strategic priorities across NCFs for further risk analysis, or risk mitigation; setting priorities within NCFs for risk mitigation; criticality assessments, and identifying priority infrastructure, technology, or resources; threat- or hazard-specific risk analysis; setting outreach and operational risk management priorities, and assessing the impacts of emerging technologies or technology transition.

CISA also covers the ability to assess risk cohesively and consistently requires a set of concepts and terminology that are foundational and common among the six categories of risk assessments listed, and which also enable information to be shared between them, when appropriate. 

To support that ability, the NRMC is developing the Risk Architecture, CISA said. The Risk Architecture is NRMC’s technology-enabled tool that will integrate the decomposition data and various other data structures to run analytical models and simulations and to perform geospatial and calculated analyses to support NCF risk analysis and assessment. 

Depending on the circumstances and available information, risks to NCFs may be identified by information about threats and hazards, vulnerabilities, or consequences depending on the circumstances and available information, according to the status update. Unless explicitly stated, NCF risk assessments address the risk to the nation from national security, economic security, and public safety perspective, which may be significantly different than the risk to an entity, stakeholder group, or jurisdiction. This is also importantly different from the geographic or sector extent of a vulnerability, or the consequence of a particular scenario. 

“A nationally significant risk may need collaborative mitigation even when a single incident would only have local or regional impacts,” the status update said. “That being said, the country’s tolerance for risks to NCFs is often far below nation-wide impacts. Risk may disproportionately impact a particular geographic area. Also, conditions in a constrained geographic area may rise to the level of national significance or may cascade through the Nation. For these reasons, conditions in cities, counties, states, and regions are an important part of understanding NCFs and their risks.” 

To lead the federal implementation of the NCF Framework, the Federal Risk Management Working Group was established within the Federal Senior Leadership Council (FSLC), a cross-sector council composed of federal departments and agencies with responsibility for critical infrastructure security and resilience. The Working Group is comprised of interagency representatives who will help coordinate interagency efforts to support CISA and FSLC decision-making for NCF risk identification, analysis, prioritization, and mitigation. 

To aid risk management prioritization, the Working Group will also support interagency input into the Risk Architecture to compare risk scenarios based on likelihood, vulnerability, and consequence. CISA is also working to update the National Infrastructure Protection Plan to reflect the NCF Framework. 

The update will further the goal of breaking down organizational silos through identification, prioritization, and reduction of shared risks. Since a majority of critical infrastructure is privately-owned, effective risk management depends on private sector and government collaboration to understand systemic risk, and how threats may impact one or more NCFs. This evolution enables the critical infrastructure community to understand and manage the most significant risks facing the nation.

Going forward, the NRMC will continue to evolve the NCF Framework in conjunction with interagency and industry partners. It will also expand understanding of the communities of interest that surround each NCF, and align existing and future NRMC initiatives, and broader CISA programs, to the NCF Framework. It will also further develop the NCF Framework as a tool for operational analysis. These efforts will strengthen the NCF Framework, enhancing the critical infrastructure community’s capability to navigate the evolving risk environment and its understanding of critical infrastructure risk to support policymaking and operational decisions.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related