As the Cybersecurity and Infrastructure Security Agency (CISA) is shifting its focus from protecting sets of critical assets to improving the resilience of critical functions, the Government Accountability Office (GAO) said the agency should improve its priority setting, stakeholder involvement, and threat information sharing in connection with that effort.
“Through the National Critical Infrastructure Prioritization Program, [CISA] is to identify a list of systems and assets that, if destroyed or disrupted, would cause national or regional catastrophic effects,” wrote GAO.
“However, nine of 12 CISA officials and all 10 of the infrastructure stakeholders GAO interviewed questioned the relevance and usefulness of the program,” GAO said. “For example, stakeholders identified cyberattacks as among the most prevalent threats they faced but said that the program’s list was not reflective of this threat.”
CISA has plans to integrate the National Critical Functions framework into broader prioritization and risk management efforts, but acknowledges that it needs to improve the connection between the National Critical Functions framework and local operational risk management activities and communications.
Despite CISA beginning work on the functions framework in 2019, “most Federal and non-Federal critical infrastructure stakeholders that GAO interviewed reported being generally uninvolved with, unaware of, or not understanding the goals of the framework.”
CISA data also details that since fiscal year 2017, no more than 14 states have provided updates to the program in any given fiscal year.
Further, CISA’s reorganization in 2020 contributed to challenges for the agency in communicating and coordinating the delivery of some cybersecurity services, GAO said.
GAO made six recommendations for CISA, and its parent agency the Department of Homeland Security (DHS) concurred with each of them:
- Improve the process for identifying critical infrastructure priorities to better reflect current threats;
- Seek input from states that haven’t provided recent updates on identifying critical infrastructure;
- Involve stakeholders in the development of the National Critical Functions framework;
- Document goals and strategies for the National Critical Functions framework;
- Improve coordination of cybersecurity services; and
- Share regionally-specific threat information.
DHS concurred with the recommendations, and described actions plans for them.