A Government Accountability Office (GAO) report says the Cybersecurity and Infrastructure Security Agency (CISA) isn’t fully up and running yet. As a result, the watchdog says it may be difficult for CISA to identify and respond to cybersecurity incidents, such as the major attack reported in December 2020 that affected both government and private industry.
Federal legislation enacted in November 2018 established CISA to advance the mission of protecting federal civilian agencies’ networks from cyber threats and to enhance the security of the nation’s critical infrastructures in the face of both physical and cyber threats. To implement this legislation, CISA undertook a three-phase organizational transformation initiative aimed at unifying the agency, improving mission effectiveness, and enhancing the workplace experience for CISA employees.
The 2018 act elevated CISA to agency status; prescribed changes to its structure, including mandating that it have separate divisions on cybersecurity, infrastructure security, and emergency communications; and assigned specific responsibilities to the agency. The GAO review found that CISA has completed the first two of three phases of its organizational transformation initiative, which resulted in, among other things, a new organization chart, consolidation of multiple incident response centers, and consolidation of points of contact for infrastructure security stakeholders. Phase three is intended to fully implement the agency’s planned organizational changes.
CISA intended to fully implement the transformation by December 2020, but GAO found it had completed just 37 of 94 planned tasks for phase three by mid-February 2021. Among the tasks not yet completed, 42 of them were past their most recent planned completion dates. Included in these 42 are the tasks of finalizing the mission-essential functions of CISA’s divisions and issuing a memorandum defining incident management roles and responsibilities across CISA. The watchdog’s March 10 report notes that tasks such as these are critical to CISA’s transformation initiative as well as its ability to effectively and efficiently carry out its cyber protection mission.
Regarding the delays, in November 2020, two CISA officials, the Deputy Director and the former Chief of Transformation, stated that some of the more significant tasks, particularly those related to finalizing the organizational structure and the mapping of program personnel, had taken longer than anticipated because of the need to obtain buy-in from various stakeholders. For example, they stated that input from Congress required additional clarification of the organizational structure. The officials also noted that some other delays were due to coordination with Department of Homeland Security leadership and the Office of Management and Budget taking longer than CISA anticipated, which was necessary to get buy-in on the agency’s revised organizational structure.
The COVID-19 pandemic did not significantly hamper progress, CISA officials said, due largely to the fact that phase three had already began before the move to remote work in March 2020.
CISA had not at the time of GAO’s review established an updated overall deadline for completing its transformation initiative. Ultimately GAO found that the delay in completing the transformation initiative “may impair the agency’s ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage.”
GAO’s review examined challenges faced by stakeholders in coordinating with CISA. The six federal CIOs that the watchdog spoke with did not generally identify challenges in coordinating with CISA, though two noted that timeliness of responses to requests for information could be improved and two said the agency’s new organizational structure could be better clarified. Similarly, emergency communications stakeholders did not generally identify challenges, although three noted that they perceived that cybersecurity was receiving increased attention from CISA compared with emergency communications and interoperability.
In contrast, stakeholders from 14 of the 16 critical infrastructure sectors (seven Sector Coordinating Councils and seven Government Coordinating Councils) reported a number of coordination challenges. Broadly speaking these challenges pertained to a lack of clarity on changes to CISA’s organizational structure, lack of involvement in developing stakeholder guidance, lack of timely responses to stakeholder requests, inconsistent distribution of information, and lack of access to actionable intelligence.
CISA officials responded that while the organizational structure of the agency has changed, the program leads and contact points generally have not. They added that they have taken steps to make it easier for stakeholders to access CISA services and assistance. For example, CISA Central, the agency portal for customer interactions, is intended to be a consistent “front door” for interactions with the agency, and the service catalog, which lists available CISA services and products, is intended to make it easier for partners and potential partners to see what services CISA provides.
The officials acknowledged that stakeholders have been asking for greater involvement and stated they are currently working on a new version of the National Infrastructure Protection Plan, which is expected to revisit the partnership model, including stakeholder engagement.
Addressing stakeholder concerns regarding inconsistent distribution of information, CISA officials said they do not perceive inconsistent information distribution as a challenge because their teams coordinate monthly with all the sector specific agencies, which act as the Government Coordinating Councils’ chairs. In addition, the officials stated that CISA is required, as a compliance requirement under the Critical Infrastructure Partnership Advisory Council, to maintain accurate records about who chairs the various councils and other entities, and that distribution lists are updated on a regular basis and published quarterly. GAO notes in its report that as of November 2020, CISA had not provided documentation of these coordination efforts.
CISA officials cited the lack of access to actionable intelligence as a “perennial challenge” but noted that CISA uses classified information forums, specialized briefings, and classified briefings at the beginning of joint coordinating council meetings and works with every sector to develop “key intelligence questions” to help focus on what is significant to the sector and to ensure that products meet their needs.
Stakeholders gave positive feedback on CISA’s response to COVID-19, adding that the agency was able to provide useful products and information, and in some cases was able to help procure particularly needed supplies such as personal protective equipment for the critical infrastructure sectors.
Recent cyber incidents have highlighted the importance of fully implementing CISA’s organizational changes, and GAO has therefore made eleven recommendations to the agency to help it do so. The Department of Homeland Security concurred and set out some of the action taken and to be taken to meet the recommendations. For example, the department stated that CISA soon plans to create an updated task list with prioritized tasks and completion dates, and establish an overall deadline for the transformation initiative.