The Office of Inspector General (OIG) says the Cybersecurity and Infrastructure Security Agency (CISA) cannot demonstrate how its oversight has improved Dams Sector security and resilience.
Nationwide, there are more than 91,000 dams, levees, and other water retention structures protecting homes and businesses, delivering electricity, and providing recreation and transportation. Recent dam failures in Oroville, CA, and Midland, MI, and widespread flooding in the Midwest highlight a need for comprehensive federal oversight and guidance.
CISA became responsible for Dams Sector security and resilience in 2018. But an OIG review found inadequate management of CISA’s Dams Sector activities. The watchdog said in its September 9 report that CISA has not coordinated or tracked its Dams Sector activities; updated overarching national critical infrastructure or Dams Sector plans; or collected and evaluated performance information on Dams Sector activities.
Prior to the Michigan dam failures, for example, the dams’ hydropower license was revoked, and its regulatory authority was transferred from the Federal Energy Regulatory Commission to the State of Michigan in 2018, due to repeated safety violations. CISA officials have said they were unaware of the license transfer or the persistent, unaddressed safety problems that led to the license revocation.
In addition, OIG found that CISA does not consistently provide information to the Federal Emergency Management Agency (FEMA) to help ensure FEMA’s assistance addresses the most pressing needs of the Dams Sector. The report adds that CISA and FEMA also do not coordinate their flood mapping information.
Finally, OIG found that CISA does not effectively use the Homeland Security Information Network Critical Infrastructure Dams Portal to provide external Dams Sector stakeholders with critical information.
The Dams Sector protects homes and businesses from flooding, powers those buildings with electricity, and provides recreation opportunities and safe modes of transportation. To ensure the safety, security, and resilience of the Dams Sector, OIG says CISA needs to ensure full information sharing internally; formalize its internal organizational structure and processes; update its strategic plans; and gather or evaluate performance information on its Dams Sector activities.
Consequently, the watchdog made five recommendations in its report:
- Update the Dams Sector-Specific Plan as required, ensuring alignment with the updated National Infrastructure Protection Plan currently under development.
- Formalize CISA’s organizational structure to clarify roles, responsibilities, coordination processes, and reporting procedures across all divisions performing activities relating to CISA’s role as the Sector-Specific Agency for the Dams Sector.
- Establish policies, procedures, and performance metrics to help ensure CISA divisions consistently assess the impact of all programs and activities relating to CISA’s role as the Sector-Specific Agency for the Dams Sector, and that CISA assess their effectiveness in the role of Sector-Specific Agency for the Dams Sector.
- Strengthen coordination with FEMA by establishing Memorandums of Understanding, Interagency Agreements, or other documented strategies to formally define CISA’s and FEMA’s roles and responsibilities for information sharing and analytical collaboration for grant decision-making related to safety, security, and resilience of dams, as well as the use and applicability of numerical simulation models, flood inundation tools, and supporting geospatial mapping capabilities to support emergency preparedness and incident response.
- Develop and implement a strategy for Dams Sector stakeholders to use the HSIN-CI Dams Portal to its fullest potential. CISA should develop metrics on usage, performance, and training needs; update the Homeland Security Information Network – Critical Infrastructure Dams Portal with clear instructions; and encourage sharing of lessons learned, after action reports, and best practices among stakeholders.
CISA concurred with all five recommendations and aims to complete work to meet these by the end of September 2022. Some of the recommended actions, such as formally documenting some of the processes and coordination mechanisms, will likely be completed by April 2022.