The Cybersecurity and Infrastructure Security Agency (CISA) has not assessed the effectiveness of its programs and services to support the communications sector, the government watchdog says.
The communications sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to CISA and sector stakeholders. The sector (which includes broadcast, cable, satellite, wireless, and wireline communications) also depends on other critical infrastructure sectors—in particular, the energy, information technology, and transportation systems sectors—and any damage, disruption, or destruction to one of these could severely impact communications operations.
CISA is the designated lead agency, or sector risk management agency, responsible for coordinating efforts to help protect and improve the security and resilience of the communications sector. It primarily supports the communications sector through incident management and information-sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs, but a review by the Government Accountability Office (GAO) found CISA has not assessed the effectiveness of these actions.
GAO says CISA has also not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA’s cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services.
CISA officials told GAO that they have not assessed the effectiveness of actions to support the communications sector due to challenges in developing metrics to measure the effectiveness of its actions, including collecting voluntary information from sector owners and operators.
CISA also coordinates federal activities to support sector infrastructure owners and operators. For example, on December 25, 2020, a bomb detonated from inside a vehicle parked in downtown Nashville, Tennessee. The explosion damaged more than 40 buildings, knocked out commercial power, and destroyed the power infrastructure that linked to the fixed backup generators for the facility housing communications critical infrastructure. CISA officials coordinated with law enforcement to provide company officials with access to the damaged building to support recovery efforts, and full restoration of services occurred within a few days.
GAO’s review found that CISA has not completed any capability assessment activities for Emergency Support Function #2. The agency said this is due to challenges related to CISA’s organizational transformation initiative and persistent Emergency Support Function #2 activities over the last two years.
GAO also discovered that CISA has not updated the 2015 Communications Sector-Specific Plan, even though DHS guidance recommends that such plans be updated every 4 years. As a result, the current 2015 plan lacks information on new and emerging threats to the communications sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation, and timing services.
CISA officials told GAO that DHS plans to publish an updated National Plan by December 31, 2021, but that there are no current plans, including any specific dates or time frames, to update the 2015 Communications Sector-Specific Plan.
GAO’s November 23 report includes three recommendations to CISA:
- Assess the effectiveness of CISA’s programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience.
- Complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed.
- Produce (in coordination with public and private communications sector stakeholders) a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the sector and that are in alignment with sector risk management agency responsibilities.
The Department of Homeland Security (DHS) concurred and stated that CISA is in the process of refreshing the existing National Infrastructure Protection Plan, which will include metrics to evaluate the activities supporting sector security and resilience. In addition, CISA will incorporate communications sector performance metrics and data collection and reporting processes and timelines, including approaches for collecting sector stakeholder feedback in an updated Communications Sector Specific Plan by the end of September 2022.
CISA is also working with FEMA to update the Communications Annex of both the National Response Framework and the Response and Recovery Federal Interagency Operations Plan. CISA will update and expand the list of Emergency Support Function #2 capabilities and conduct a capability gap analysis to identify where other resources may be needed to support and implement these requirements by June 30, 2022.