A new report by the U.S. Government Accountability Office (GAO) recommends that the Cybersecurity and Infrastructure Security Agency (CISA) should implement time frames to complete its sector risk management and statutory responsibilities.
The report asked experts of 16 critical infrastructure sectors that were expanded on from the Thornberry National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2021 about the steps the agency has taken to meet these requirements.
“New activities officials described to address these responsibilities included developing a risk analysis capability and updating emergency preparedness products – However, CISA has not developed milestones and timelines to complete its efforts. Establishing milestones and timelines would help ensure CISA does so in a timely manner,” stated the report.
The report looked at two primary areas to make this assessment:
- how the FY21 NDAA changed sector risk management agency responsibilities, and the actions these agencies reported taking to address them; and
- the extent to which CISA has identified and undertaken efforts to help sector risk management agencies implement their responsibilities set forth in the FY21 NDAA.
CISA has made strides to meet some of the regulatory requirements such as “updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector specific guidance documents,” the report says.
The report concludes by making over 80 recommendations to DHS on creating a timeline to achieve its regulatory goals.
DHS concurred with the recommendations.