DHS needs to work on strengthening critical infrastructure security efforts, GAO reveals

A new report released by the U.S. Government Accountability Office (GAO) determined that the nation needs to act on improving critical infrastructure security. The agency assessed that the critical actions that the Department of Homeland Security (DHS) needs to take include strengthening the federal role in protecting the cybersecurity of critical infrastructure and improving priority setting efforts.

“Pursuant to legislation enacted in 2018, the Cybersecurity and Infrastructure Security Agency (CISA) within DHS was charged with responsibility for enhancing the security of the nation’s critical infrastructure in the face of both physical and cyber threats,” GAO said in its report on Wednesday. “In March 2021, GAO reported that DHS needed to complete key activities related to the transformation of CISA. This includes finalizing the agency’s mission-essential functions and completing workforce planning activities,” it added. 

The GAO report identifies that the DHS needs to strengthen Its role in securing the cybersecurity of the critical infrastructure sector and complete CISA transformation activities. GAO also reported that the DHS needed to address challenges identified by selected critical infrastructure stakeholders, including consistent stakeholder involvement in developing related guidance. Accordingly, GAO made 11 recommendations to DHS, which the department intends to implement by the end of 2022.

GAO said that the federal government had been challenged in working with the private sector to protect critical infrastructure. As a result, the agency has made recommendations to strengthen the DHS’s role in critical infrastructure cybersecurity, including enhancing the capabilities and services of CISA and ensuring that federal agencies with sector-specific responsibilities are providing their sector partners with effective guidance and support. 

“The importance of clear cybersecurity leadership extends beyond the White House to other key executive branch agencies, including DHS,” GAO said. “Federal legislation enacted in November 2018 established CISA within the department to advance the mission of protecting federal civilian agencies’ networks from cyber threats and to enhance the security of the nation’s critical infrastructure in the face of both physical and cyber threats. The act elevated CISA to agency status; prescribed changes to its structure, including mandating that it have separate divisions on cybersecurity, infrastructure security, and emergency communications; and assigned specific responsibilities to the agency,” it added.

To implement the statutory requirements, CISA leadership launched an organizational transformation initiative. In March last year, GAO reported that CISA had completed the first two of the three phases of its organizational transformation initiative. “Specifically, we noted DHS had not fully implemented its phase three transformation, which included finalizing the agency’s mission-essential functions and completing workforce-planning activities by December 2020,” the report added.

The agency also “found that of 10 selected key practices for effective agency reforms we previously identified, CISA’s organizational transformation generally addressed four, partially addressed five, and did not address one,” the report disclosed. “Further, we reported on a number of challenges that selected government and private sector stakeholders had noted when coordinating with CISA, including a lack of clarity surrounding its organizational changes and the lack of stakeholder involvement in developing guidance. Although CISA had activities underway to mitigate some of these challenges, it had not developed strategies to, among other things, clarify changes to its organizational structure,” it added.

To address these weaknesses, “we made 11 recommendations to DHS. The department concurred with our recommendations and, as of September 2021, reported that it intends to fully implement them by the end of calendar year 2022,” GAO said. Implementing these recommendations will better position CISA to ensure the success of its reorganization efforts and carry out its mission to lead national efforts to identify and respond to cyber and other risks to our nation’s infrastructure, it added. 

Since 2010, “we have made about 80 recommendations for various federal agencies to enhance infrastructure cybersecurity. For example, in February 2020, we recommended that agencies better measure the adoption of the NIST framework of voluntary cyber standards and correct sector-specific weaknesses,” the report disclosed. 

Specifically, “we found that most sector risk management agencies were not collecting and reporting on improvements in the protection of critical infrastructure as a result of using the framework across the sectors,” GAO said. “We concluded that collecting and reporting on these improvements would help the sectors understand the extent to which sectors are better protecting their critical infrastructure from cyber threats,” it added.

To address these issues, GAO has “made 10 recommendations—one to NIST on establishing time frames for completing selected programs—and nine to the lead agencies, to collect and report on improvements gained from using the framework,” the report revealed. “Eight agencies agreed with the recommendations, while one neither agreed nor disagreed and one partially agreed. However, as of November 2021, none of the recommendations had been implemented,” it added. 

Until the lead agencies collect and report on improvements gained from adopting the framework, the extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructure from threats will be largely unknown, the GAO report determined. 

Last month, GAO reported that it was asked to review CISA’s critical infrastructure prioritization activities. The agency examined how the National Critical Infrastructure Prioritization Program identifies and prioritizes nationally significant critical infrastructure, CISA’s development of the National Critical Functions framework, and key services and information that CISA provides to mitigate critical infrastructure risks. 

GAO further recommended last month that CISA improve its process for identifying critical infrastructure priorities to reflect current threats better, seek input from states that have not provided recent updates on identifying critical infrastructure, and involve stakeholders in developing the National Critical Functions framework. The agency also recommended documenting goals and strategies for the National Critical Functions framework, improving efforts to coordinate cybersecurity services, and sharing regionally specific threat information. The DHS concurred with these recommendations.

The GAO determined in February that critical infrastructure agencies need to assess the adoption of cybersecurity guidance. Accordingly, the audit institution also addresses how sector risk management agencies (SRMAs) have determined framework adoption by entities within their respective critical infrastructure sectors and identified improvements resulting from sector-wide use. 

In December, the GAO identified the need for the federal government to develop and execute a comprehensive national cyber strategy and strengthen its role in protecting critical infrastructure cybersecurity.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.