The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security today released a list of 55 National Critical Functions so vital to the United States that disruption, corruption, or dysfunction would have a debilitating effect security, national economic security, or national public health or safety.
CISA works in close coordination with other federal agencies, the private sector and other key stakeholders in the critical infrastructure community to identify, analyze, prioritize, and manage the most strategic risks to the nation’s critical infrastructure.
CISA’s risk management efforts aim to build on legacy programs that historically have focused on critical infrastructure from the perspective of assets and organizations, not systems and functions. This evolved approach addresses system-wide and cross-sector risks. Sector expertise should inform efforts, and influence our understanding of how to manage risk to National Critical Functions.
This set was developed through a far-reaching partnership effort with the critical infrastructure community via the Sector Coordinating Councils, associated Sector Specific Agencies, the SLTT Government Coordinating Council, and other stakeholders.
The National Critical Functions construct provides a risk management lens that focuses less on a static, sector-specific or asset world view, and instead focuses on the functions an entity contributes to or enables. This allows for more holistically capturing cross-cutting risks and associated dependencies that may have cascading impact within and across sectors.
It also contributes to a new view of criticality which is linked to the specific parts of an entity that contribute to critical functions. By viewing risk through a functional lens, we can ultimately add resilience and harden systems across the critical infrastructure ecosystem in a more targeted, prioritized, and strategic manner.
The National Critical Functions construct – being a new “language” that we can use to talk about critical infrastructure risk management – is also a foundational element for the development of a Risk Register. By performing risk and dependency analysis and consequence modeling, CISA will identify scenarios that could potentially cause national-level degradation to National Critical Functions. This will result in a tiered Risk Register that prioritizes areas of national risk to critical infrastructure in need of mitigation and collective action. The process for developing the Risk Register will involve representatives from across government and industry and combine analysis, with policy judgment and operational insight.
The Risk Register will not be a public document and may potentially have portions at higher classification levels. Regardless, we are committed to ensuring the right people in the critical infrastructure community receive actionable information to make informed risk management decisions.