The Government Accountability Office (GAO) has examined the cybersecurity efforts of the Chemical Facility Anti-Terrorism Standards (CFATS) program within the Department of Homeland Security, and found that key aspects have not been updated in more than 10 years.
Thousands of high-risk chemical facilities may be subject to the risk posed by cyber threat adversaries including terrorists, criminals, or nations. These adversaries could potentially manipulate facilities’ information and control systems to release or steal hazardous chemicals and inflict mass casualties to surrounding populations.
The CFATS program evaluates high-risk chemical facilities’ cybersecurity efforts via inspections that include reviewing policies and procedures, interviewing relevant officials, and verifying facilities’ implementation of agreed-upon security measures.
For its review, GAO conducted site visits to observe the cybersecurity portion of CFATS inspections based on scheduled inspections, reviewed inspection documents, and interviewed CFATS inspectors. GAO also analyzed inspection guidance and training against key practices and assessed workforce planning documents and processes.
GAO found that the CFATS program has guidance designed to help the estimated 3,300 CFATS-covered facilities comply with cybersecurity and other standards, but crucially, this guidance has not been updated in more than 10 years, in contrast with internal control standards which recommend periodic review. CFATS officials told GAO that the program does not have a process to routinely review its cybersecurity guidance to ensure that it is up to date with current threats and technological advances.
Although the CFATS program developed and provided cybersecurity training for its inspectors, GAO found it does not fully address three of four key training practices: The review found CFATS does not systematically collect or track data related to inspectors’ cybersecurity training or knowledge, skills, and abilities; develop measures to assess how training is contributing to cybersecurity-related program results; or have a process to evaluate the effectiveness of its cybersecurity training in improving inspector skillsets.
In addition, GAO said the program fails to address cybersecurity needs in its workforce planning process, as recommended by DHS guidance.
To address these concerns, GAO has made six recommendations to the Cybersecurity and Infrastructure Security Agency (CISA):
- Implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals.
- Incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals.
- Track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings.
- Develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms.
- Develop a workforce plan that addresses the program’s cybersecurity-related needs, which should include an analysis of any gaps in the program’s capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them.
- Maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program’s inspection database system to better track facilities’ cyber integration levels.
The Department of Homeland Security concurred with all six recommendations. It aims to complete work to meet the first five by the end of December 2020, and estimates that the sixth and final recommendation will be addressed by October 31 2021.