Federal and state officials have questioned the National Critical Infrastructure Prioritization Program’s relevance and usefulness, and believe it does not consider the most prevalent infrastructure threats, such as cyber attacks.
The program, run by the Cybersecurity and Infrastructure Security Agency (CISA), is intended to identify the critical infrastructure assets in most need of protection. The program’s list is then used to inform the awarding of preparedness grants to states. CISA is shifting its focus from simply protecting a set of critical assets to improving the resilience of critical functions, such as supplying water. But, the Government Accountability Office (GAO) says it could do more to communicate this shift.
Nine of 12 CISA officials and all 10 of the infrastructure stakeholders that the government watchdog interviewed questioned the relevance and usefulness of the program. Stakeholders said for instance that the program’s list was not reflective of the cyber threat.
The majority of the critical infrastructure stakeholders GAO met with said that cyber attacks from inside actors, foreign adversaries, and others were among the most prevalent threats that they faced. These attacks can take many forms, such as ransomware or mis/disinformation. On February 18, CISA issued new guidance intended to raise awareness amongst critical infrastructure owners and operators on the risks of foreign influence operations. The document outlines steps organizations can take to mitigate the effects of mis/disinformation, such as ensuring swift coordination in information sharing and communicating accurate and trusted information to bolster resilience.
“We need to be prepared for the potential of foreign influence operations to negatively impact various aspects of our critical infrastructure with the ongoing Russia-Ukraine geopolitical tensions,” said CISA Director Jen Easterly days before the Russian invasion of Ukraine.
In 2019, CISA published a set of 55 critical functions of government and the private sector considered vital to the security, economy, and public health and safety of the nation. CISA officials told GAO that the National Critical Functions framework is intended to better assess how failures in key systems, assets, components, and technologies may cascade across the 16 critical infrastructure sectors. GAO found that CISA is currently carrying out a process to break down each of the 55 national critical functions (such as “supply water”) into systems (such as “public water systems”) and assets (including infrastructure such as “water treatment plants”).
CISA plans to integrate this National Critical Functions framework into broader prioritization and risk management efforts, and has already used it to inform key agency actions. For example, CISA used the framework to analyze the impact of COVID-19 on critical infrastructure and to assess the cross-sector and national-level impacts of other events, such as the 2021 cyberattack on the Colonial Pipeline Company.
Although CISA initiated the functions framework in 2019, most of the federal and nonfederal critical infrastructure stakeholders that GAO interviewed reported being generally uninvolved with, unaware of, or not understanding the goals of the framework. GAO found that stakeholders did not understand how the framework related to prioritizing infrastructure, how it affected planning and operations, or where their particular organizations fell within it. CISA officials responded that stakeholders with local operational responsibilities were the least likely to be familiar with the National Critical Functions, which were intended to improve the analysis and management of cross-sector and national risks. Still, CISA officials acknowledged the need to improve connection between the National Critical Functions framework and local and operational risk management activities and communications. GAO also found that CISA lacks an available documented framework plan with goals and strategies that describe what it intends to achieve and how.
CISA’s reorganization in 2020 resulted in challenges in communicating and coordinating the delivery of some cybersecurity services, GAO said. Regional staff told the watchdog that their ability to effectively coordinate the cybersecurity services that CISA headquarters delivered was impaired because of staff placement following the reorganization. Staff conducting outreach and offering a suite of cybersecurity assessments to critical infrastructure stakeholders are located in regional offices, while CISA offers additional cyber assessment services using staff from a different division—the Cybersecurity Division—which operates out of headquarters. Addressing these communication and coordination challenges could improve CISA’s cybersecurity support.
Some stakeholders told GAO that CISA’s threat information helped them to understand the broader threat landscape, such as threats to election security and COVID-19 response efforts. Almost half (12 of 25) of the stakeholders reported needing additional information related to the threats specific to their regions and local infrastructure. Specifically, stakeholders told GAO that organizations in their regions were primarily concerned with active shooters, chemical spills, or biological attacks and, thus, needed information that was applicable to those threats. State homeland security agency officials echoed these concerns. Some said, for example, that their state needed more threat information that related to domestic violent extremism.
CISA officials acknowledged the need to improve regionally specific threat information sharing but said that they faced challenges in doing so, such as limited intelligence resources dedicated to serving the regions.
GAO has recommended six actions to improve how CISA delivers cybersecurity services and shares threat information with the critical infrastructure community:
- improve its process for identifying critical infrastructure priorities to better reflect current threats;
- seek input from states that have not provided recent updates on identifying critical infrastructure;
- involve stakeholders in the development of the National Critical Functions framework;
- document goals and strategies for the National Critical Functions framework;
- improve efforts to coordinate cybersecurity services; and
- share regionally specific threat information.
The Department of Homeland Security (DHS) concurred and committed to “a comprehensive update of nomination thresholds” in fiscal year 2023. CISA will be reaching out to states that did not submit nominations in the last three fiscal years to confirm they are aware of the program. The agency will also conduct outreach to stakeholders through “Communities of Interest” it has identified for each National Critical Function. Clear documentation of CISA’s goals and strategies for the National Critical Functions will be provided and the agency will establish and document formal mechanisms for coordination and feedback on service delivery. DHS also stated that CISA is conducting a pilot program to support regional intelligence requirements, which is estimated to be completed in six months. If successful, it could be rolled out across all regions.