October 2, 2022

ACN Center

Area Control Network

Critical Infrastructure Protection: CISA Should Improve Priority Setting, Stakeholder Involvement, and Threat Information Sharing

17 min read
What GAO Found

Through the National Critical Infrastructure Prioritization Program, the Cybersecurity and Infrastructure Security Agency (CISA) is to identify a list of systems and assets that, if destroyed or disrupted, would cause national or regional catastrophic effects. Consistent with the Implementing Recommendations of the 9/11 Commission Act of 2007, the program works to annually update and prioritize the list. The program’s list is used to inform the awarding of preparedness grants to states. However, nine of 12 CISA officials and all 10 of the infrastructure stakeholders GAO interviewed questioned the relevance and usefulness of the program. For example, stakeholders identified cyberattacks as among the most prevalent threats they faced but said that the program’s list was not reflective of this threat. Further, according to CISA data, since fiscal year 2017, no more than 14 states (of 56 states and territories) provided updates to the program in any given fiscal year. Ensuring that its process for determining priorities reflects current threats, such as cyberattacks, and incorporates input from additional states would give CISA greater assurance that it and stakeholders are focused on the highest priorities.

In 2019, CISA published a set of 55 critical functions of government and the private sector considered vital to the security, economy, and public health and safety of the nation. According to CISA officials, this new National Critical Functions framework is intended to better assess how failures in key systems, assets, components, and technologies may cascade across the 16 critical infrastructure sectors. Examples of critical functions are shown below in CISA’s four broad categories of “connect” (nine of the 55 functions), “distribute” (nine), “manage” (24), and “supply” (13).

Examples of Cybersecurity and Infrastructure Security Agency (CISA) National Critical Functions

CISA is currently carrying out a process to break down each of the 55 national critical functions (such as “supply water”) into systems (such as “public water systems”) and assets (including infrastructure such as “water treatment plants”), as illustrated below.

Examples of Critical Infrastructure Systems and Assets That Support the National Critical Function “Supply Water”

CISA plans to integrate the National Critical Functions framework into broader prioritization and risk management efforts, and has already used it to inform key agency actions. For example, CISA used the framework to analyze the impact of COVID-19 on critical infrastructure. Although CISA initiated the functions framework in 2019, most of the federal and nonfederal critical infrastructure stakeholders that GAO interviewed reported being generally uninvolved with, unaware of, or not understanding the goals of the framework. Specifically, stakeholders did not understand how the framework related to prioritizing infrastructure, how it affected planning and operations, or where their particular organizations fell within it. In response, CISA officials stated that stakeholders with local operational responsibilities were the least likely to be familiar with the National Critical Functions, which were intended to improve the analysis and management of cross-sector and national risks. Still, CISA officials acknowledged the need to improve connection between the National Critical Functions framework and local and operational risk management activities and communications. In addition, CISA lacks an available documented framework plan with goals and strategies that describe what it intends to achieve and how. Without such a documented plan, stakeholders’ questions regarding the framework will likely persist.

CISA offers physical and cybersecurity assessments to critical infrastructure partners, but the agency’s 2020 reorganization resulted in challenges in communicating and coordinating the delivery of some cybersecurity services. According to regional staff, their ability to effectively coordinate the cybersecurity services that CISA headquarters delivered was impaired because of staff placement following the reorganization. Specifically, staff conducting outreach and offering a suite of cybersecurity assessments to critical infrastructure stakeholders are located in regional offices, while CISA offers additional cyber assessment services using staff from a different division—the Cybersecurity Division—which operates out of headquarters. Addressing these communication and coordination challenges can improve CISA’s cybersecurity support.

CISA analyzes and shares threat information related to critical infrastructure; however, stakeholders reported needing more regionally specific information to address those threats. For instance, selected stakeholders that GAO spoke to said that CISA’s threat information helped them to understand the broader threat landscape, such as threats to election security and COVID-19 response efforts. Almost half (12 of 25) of the stakeholders reported needing additional information related to the threats specific to their regions and local infrastructure. Specifically, stakeholders told us that organizations in their regions were primarily concerned with active shooters, chemical spills, or biological attacks and, thus, needed information that was applicable to those threats.

Why GAO Did This Study

The risk environment for critical infrastructure ranges from extreme weather events to physical and cybersecurity attacks. The majority of critical infrastructure is owned and operated by the private sector, making it vital that the federal government work with the private sector, along with state, local, tribal, and territorial partners. CISA is the lead federal agency responsible for overseeing domestic critical infrastructure protection efforts.

GAO was asked to review CISA’s critical infrastructure prioritization activities. This report examines (1) the extent to which the National Critical Infrastructure Prioritization Program currently identifies and prioritizes nationally significant critical infrastructure, (2) CISA’s development of the National Critical Functions framework, and (3) key services and information that CISA provides to mitigate critical infrastructure risks.

GAO analyzed agency documentation and conducted interviews with critical infrastructure stakeholders representing the energy, water and wastewater systems, critical manufacturing, and information technology sectors; six of 10 CISA regions; and six states to understand the need for any improvements to CISA’s efforts, among other things. GAO selected these six states based on population size and the amounts of grant awards received from DHS’s State Homeland Security Program.

More from:

  • Malta National Day
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • The Americans with Disabilities Act at 31
    In Human Health, Resources and Services
    Thirty-one years ago [Read More…]
  • Secretary Blinken’s Call with UN Special Envoy for Yemen Grundberg
    In Crime Control and Security News
    Office of the [Read More…]
  • Department of Justice Issues Statement Regarding Decision in Skyworks v. CDC
    In Crime News
    More from: March 12, 2021 [Read More…]
  • Commercial Flooring Company Pleads Guilty to Antitrust and Money Laundering Charges
    In Crime News
    Mr. David’s Flooring International LLC (Mr. David’s), a Chicago-based commercial flooring contractor, pleaded guilty after being charged for its role in a long-running conspiracy to rig bids and fix prices for commercial flooring products and services, and for its role in a money laundering conspiracy involving kickbacks.

    [Read More…]

  • Financial Services Industry: Using Data to Promote Greater Diversity and Inclusion
    In U.S GAO News
    What GAO Found GAO’s prior work has shown that the financial services industry has made little or no progress in increasing diversity at the senior management level. The figure below shows the latest available data on diversity at senior levels. Race/Ethnicity and Gender Representation of Executive/Senior-Level Management in the Financial Services Industry, 2018 One common theme of GAO’s recent reports on diversity in the financial services industry is the importance of using data to assess diversity and inclusion efforts. In 2017, GAO reported that financial services firms said it is important for firms to collect and analyze data to assess workforce diversity. Notably, all the financial services firms with which GAO spoke agreed on the importance of analyzing employee data. Some firm representatives noted that with such data, they can analyze the gender and racial/ethnic diversity of new hires, employees leaving the organization, and newly promoted staff and managers. In 2019 and 2020, GAO reported that the Federal Home Loan Banks (FHLBanks) and Fannie Mae and Freddie Mac (the enterprises) track diversity composition data on their workforce, recruitment, and hiring. The FHLBanks and the enterprises use these data to compare their performance against benchmarks, such as prior-year metrics and peer institutions, and set goals for future performance. They also incorporate diversity targets into their incentive compensation goals or performance competencies for management. The Federal Housing Finance Agency (FHFA) uses data to oversee the workforce diversity and inclusion efforts of the FHLBanks and the enterprises. As GAO reported in 2019 and 2020, FHFA collects and reviews quarterly and annual workforce diversity data from the FHLBanks and enterprises. For example, FHFA assesses each FHLBank’s performance in workforce diversity using the quarterly data. In 2017, FHFA also began reviewing diversity and inclusion efforts as part of its annual examinations of the FHLBanks and the enterprises. Why GAO Did This Study The financial services industry provides services that help families build wealth and is essential to the economic growth of the country. For instance, the FHLBanks, Fannie Mae, and Freddie Mac play important roles in supporting the U.S. housing market. The FHLBanks include 11 federally chartered banks that provide liquidity for member institutions, such as commercial and community banks, to use in support of housing finance and community lending. Fannie Mae and Freddie Mac purchase single-family and multifamily mortgage loans that lenders already made to borrowers. Congressional members and others have highlighted the need for the financial services industry to create opportunities for all Americans, including supporting a diverse workforce. This statement discusses (1) how financial service firms use data to assess workforce diversity efforts; (2) how the FHLBanks and the enterprises use data to assess their diversity efforts; and (3) how FHFA oversees diversity efforts at the FHLBanks and the enterprises. This statement is primarily based on three GAO reports (GAO-18-64, GAO-19-589, and GAO-20-637) on diversity efforts in the financial services industry and at FHLBanks and the enterprises. For the reports, GAO reviewed relevant literature and data, and interviewed representatives of financial services firms and industry and diversity advocacy organizations. GAO also reviewed documents and interviewed officials from the FHLBanks, enterprises, and FHFA. For more information, contact Daniel Garcia-Diaz at (202) 512-8678 or GarciaDiazD@gao.gov.

    [Read More…]

  • Assistance to Tonga in the Wake of the Hunga Tonga-Hunga Ha’apai Eruptions and Tsunami
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Equatorial Guinea National Day
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Capital One CEO to Pay Civil Penalty for Violating Antitrust Pre-Transaction Notification Requirements
    In Crime News
    The Justice Department’s Antitrust Division, at the request of the Federal Trade Commission (FTC), filed a civil antitrust lawsuit today in U.S. District Court for the District of Columbia, against Richard D. Fairbank, the CEO of Capital One Financial Corporation, for violating the pre-transaction notification and waiting period requirements of the Hart-Scott-Rodino Act of 1976 (HSR Act) when he acquired voting securities of Capital One in 2018. At the same time, the department filed a proposed settlement, subject to approval by the court, under which Fairbank has agreed to pay a $637,950 civil penalty to resolve the lawsuit.

    [Read More…]

  • The United States Takes Further Action Against Enablers of Venezuelan Oil Transactions, Including Sanctions Evasion Network
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Secretary Blinken’s Meeting with Republic of Korea Foreign Minister Chung
    In Crime Control and Security News
    Office of the [Read More…]
  • Federal Contracting: Noncompetitive Contracts Based on Urgency Need Additional Oversight
    In U.S GAO News
    What GAO Found The Departments of Defense (DOD) and State and the U.S. Agency for International Development (USAID) used the urgency exception to a limited extent, but the reliability of some federal procurement data elements is questionable. For fiscal years 2010 through 2012, obligations reported under urgent noncompetitive contracts ranged from less than 1 percent to about 12 percent of all noncompetitive contract obligations. During that time, DOD obligated $12.5 billion noncompetitively to procure goods and services using the urgency exception, while State and USAID obligated $582 million and about $20 million respectively, almost exclusively to procure services. Among the items procured were personal armor, guard services and communications equipment to support missions in Afghanistan and Iraq. GAO found coding errors that raise concerns about the reliability of federal procurement data on the use of the urgency exception. Nearly half—28 of the 62 contracts in GAO’s sample—were incorrectly coded as having used the urgency exception when they did not. GAO found that 20 of the 28 miscoded contracts were awarded using procedures that are more simple and separate from the requirements related to the use of the urgency exception. Ensuring reliability of procurement data is critical as these data are used to inform procurement policy decisions and facilitate oversight. For the 34 contracts in GAO’s sample that were properly coded as having used the urgency exception, agencies cited a range of urgent circumstances, primarily to meet urgent needs for combat operations or to avoid unanticipated gaps in program support. The justifications and approvals—which are required by the Federal Acquisition Regulation (FAR) to contain certain facts and rationale to justify use of the urgency exception to competition—generally contained the required elements; however, some were ambiguous about the specific risks to the government if the acquisition was delayed. Ten of the 34 contracts in GAO’s sample had a period of performance of more than one year—8 of which were modified after award to extend the period of performance beyond 1 year. The FAR limits contracts using the urgency exception to one year in duration unless the head of the agency or a designee determines that exceptional circumstances apply. Agencies did not make this determination for the 10 contracts. The FAR is not clear about what steps agencies should take when a contract is modified after award to extend the period of performance over 1 year. Some contracting officials noted that these modifications are treated as separate contract actions and would not require the determination by the head of the agency or designee. Others considered them cumulative actions requiring the determination. Standards for Internal Controls in the Federal Government calls for organizations to maintain proper controls that ensure transparency and accountability for stewardship of government resources. The Office of Federal Procurement Policy (OFPP)—which provides governmentwide policy on federal contracting procedures—is in a position to clarify when the determination of exceptional circumstances is needed to help achieve consistent implementation of this requirement across the federal government. Further, under the urgency exception, the FAR requires agencies to seek offers from as many vendors as practicable given the circumstances. For some contracts in GAO’s sample, lack of access to technical data rights and reliance on contractor expertise prevented agencies from obtaining competition. Why GAO Did This Study Competition is a critical tool for achieving the best return on the government’s investment. Federal agencies are generally required to award contracts competitively but are permitted to award noncompetitive contracts under certain circumstances, such as when requirements are of such an unusual and compelling urgency that the government would suffer serious financial or other injury. Contracts that use the urgency exception to competition must generally be no longer than one year in duration. The conference report for the National Defense Authorization Act of Fiscal Year 2013 mandated GAO to examine DOD’s, State’s, and USAID’s use of this exception. For the three agencies, GAO assessed (1) the pattern of use, (2) the reasons agencies awarded urgent noncompetitive contracts and the extent to which justifications met FAR requirements; and (3) the extent to which agencies limited the duration. GAO analyzed federal procurement data, interviewed contracting officials, and analyzed a non-generalizable sample of 62 contracts with a mix of obligation levels and types of goods and services procured across the three agencies.

    [Read More…]

  • Medicaid in Times of Crisis
    In U.S GAO News
    This Capsule—named for its 2-page format—draws from a number of GAO reports to provide examples of how the federal government and states have used Medicaid during pandemics, economic recessions, natural disasters, and other crises. In this Capsule, GAO cites policy considerations and reiterates a recommendation to Congress. For more information, contact Carolyn L. Yocom at (202) 512-7114 or yocomc@gao.gov.

    [Read More…]

  • Military Training: Actions Needed to Further Improve the Consistency of Combat Skills Training Provided to Army and Marine Corps Support Forces
    In U.S GAO News
    In conventional warfare, support forces such as military police, engineers, and medical personnel normally operate behind the front lines of a battlefield. But in Iraq and Afghanistan–both in U.S. Central Command’s (CENTCOM) area of responsibility–there is no clear distinction between front lines and rear areas, and support forces are sometimes exposed to hostile fire without help from combat arms units. The House report to the National Defense Authorization Act for fiscal year 2010 directed GAO to report on combat skills training for support forces. GAO assessed the extent to which (1) Army and Marine Corps support forces are completing required combat skills training; (2) the services and CENTCOM have information to validate completion of required training; and (3) the services have used lessons learned to adjust combat skills training for support forces. To do so, GAO analyzed current training requirements, documentation of training completion, and lessons learned guidance; observed support force training; and interviewed headquarters officials, trainers, and trainees between August 2009 and February 2010.Army and Marine Corps support forces undergo significant combat skills training, but additional actions could help clarify CENTCOM’s training requirements, ensure the services fully incorporate those requirements into their training requirements, and improve the consistency of training that is being conducted. CENTCOM has issued a list of training tasks to be completed, in addition to the services’ training requirements, before deploying to its area of operations. However, there is confusion over which forces the CENTCOM requirements apply to, the conditions under which the tasks are to be trained, and the standards for successfully completing the training. As a result, interpretations of the requirements vary and some trainees receive detailed, hands-on training for a particular task while others simply observe a demonstration of the task. In addition, while the Army and Marine Corps are training their forces on most of CENTCOM’s required tasks, servicemembers are not being trained on some required tasks prior to deploying. While units collect information on the completion of training tasks, additional actions would help higher level decision-makers assess the readiness of deploying units and servicemembers. Currently, both CENTCOM and the services lack complete information on the extent to which Army and Marine Corps support forces are completing required combat skills training. The Army has recently designated the Digital Training Management System as its system of record for tracking the completion of required training, but guidance concerning system implementation is unclear and the system lacks some needed capabilities. As a result, support forces are not fully utilizing the system, and are inconsistently tracking completion of individual and unit training using paper records, stand-alone spreadsheets, and other automated systems. The Marine Corps also uses inconsistent approaches to document training completion. Furthermore, as GAO reported in May 2008, CENTCOM does not have a clearly defined waiver process to provide visibility over the extent to which personnel are deploying to its area of operations without having completed its required training tasks. As a result, CENTCOM and the services have limited visibility over the extent to which servicemembers have or have not completed all required training. While trainers at Army and Marine Corps training sites have applied lessons learned information and made significant changes to the combat skills training they provide support forces, the changes to training have varied across sites. Army and Marine Corps doctrine requires the collection of after action reports, the primary formal vehicle for collecting lessons learned. Lessons are also shared informally, such as through communication between deployed forces and units training to replace them. While the services have these formal and informal means to facilitate the sharing of lessons learned information, trainers at the various training sites are not consistently sharing information about the changes they have made to their training programs. As a result, servicemembers are trained inconsistently and units that are deploying for similar missions sometimes receive different types and amounts of training.

    [Read More…]

  • Unaccompanied Children: Actions Needed to Improve Grant Application Reviews and Oversight of Care Facilities
    In U.S GAO News
    The Office of Refugee Resettlement’s (ORR) grant announcements soliciting care providers for unaccompanied children—those without lawful immigration status and without a parent or guardian in the U.S. available to provide care and physical custody for them—lack clarity about what state licensing information is required. Further, ORR does not systematically confirm the information submitted by applicants or document a review of their past performance on ORR grants, when applicable, according to GAO’s analysis of ORR documents and interviews with ORR officials. The grant announcements do not specify how applicants without a state license should show license eligibility—a criterion for receiving an ORR grant—or specify what past licensing allegations and concerns they must report. In addition, the extent to which ORR staff verify applicants’ licensing information is unclear. In fiscal years 2018 and 2019, ORR awarded grants to approximately 14 facilities that were unable to serve children for 12 or more months because they remained unlicensed. In addition, ORR did not provide any documentation that staff conducted a review of past performance for the nearly 70 percent of applicants that previously held ORR grants. Without addressing these issues, ORR risks awarding grants to organizations that cannot obtain a state license or that have a history of poor performance. State licensing agencies regularly monitor ORR-funded facilities, but according to GAO’s survey of these agencies, their information sharing with ORR is limited (see figure). State licensing agencies and ORR staff both said that improved information sharing would benefit their monitoring of facilities. Without such improvements, ORR may lack information about ongoing issues at its facilities. Key Survey Responses on Information-Sharing with the Office of Refugee Resettlement (ORR) by the 23 State Agencies That Licensed ORR-Funded Facilities in Fall 2019 ORR requires grantees to take corrective action to address noncompliance it identifies through monitoring, but ORR has not met some of its monitoring goals or notified grantees of the need for corrective actions in a timely manner. For example, under ORR regulations, each facility is to be audited for compliance with standards to prevent and respond to sexual abuse and harassment of children by February 22, 2019, but by April 2020, only 67 of 133 facilities had been audited. In fiscal years 2018 and 2019, ORR also did not meet its policy goals to visit each facility at least every 2 years, or to submit a report to facilities on any corrective actions identified within 30 days of a visit. Without further action, ORR will continue to not meet its own monitoring goals, which are designed to ensure the safety and well-being of children in its care. ORR is responsible for the care and placement of unaccompanied children in its custody, which it provides through grants to state-licensed care provider facilities. ORR was appropriated $1.3 billion for this program in fiscal year 2020. GAO was asked to review ORR’s grant making process and oversight of its grantees. This report examines (1) how ORR considers state licensing issues and past performance in its review of grant applications; (2) state licensing agencies’ oversight of ORR grantees, and how ORR and states share information; and (3) how ORR addresses grantee noncompliance. GAO reviewed ORR grant announcements and applications for fiscal years 2018 and 2019. GAO conducted a survey of 29 state licensing agencies in states with ORR facilities, and reviewed ORR monitoring documentation and corrective action reports. GAO also reviewed ORR guidance and policies, as well as relevant federal laws and regulations, and interviewed ORR officials. GAO is making eight recommendations to ORR on improving clarity in its grant announcements, communication with state licensing agencies, and monitoring of its grantees. ORR agreed with all eight recommendations. For more information, contact Kathryn A. Larin at (202) 512-7215 or larink@gao.gov.

    [Read More…]

  • Monsanto Successor Companies Agree to Clean Up Remaining Surface Contamination at Sauget Superfund Sites under Federal Settlement
    In Crime News
    Solutia Inc. and Pharmacia LLC, successors to Monsanto Company, will complete the cleanup of four former landfills and waste lagoons in Sauget, Illinois, across the Mississippi River from St. Louis.

    [Read More…]

  • Secretary Blinken’s Meeting with Mexican Foreign Secretary and Central American Foreign Ministers
    In Crime Control and Security News
    Office of the [Read More…]
  • Texas plastics corporation will pay nearly $3M for violating Clean Air Act
    In Justice News
    Formosa Plastics [Read More…]
  • U.S. Sanctions CEIEC for Supporting the Illegitimate Maduro Regime’s Efforts to Undermine Venezuelan Democracy
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Secretary Antony J. Blinken And Estonian Foreign Minister Eva-Maria Liimets Before Their Meeting
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]

Source: Network News
Area Control Network

Copyright © 2022 ACN
All Rights Reserved © ACN 2020

ACN Privacy Policies
ACN TOS
Area Control Network (ACN)
Area Control Network
Area Control Network Center