Fast Facts

A 2018 federal law established the Cybersecurity and Infrastructure Security Agency to help protect critical infrastructure from cyber and other threats—but it isn't fully up and running yet.

CISA completed 2 of 3 phases in its organization plan, including defining an organizational structure. It also completed about a third of the tasks planned for the final phase by its December 2020 milestone.

Until CISA updates its milestones and fully implements its plans, it may be difficult for it to identify and respond to cybersecurity incidents, such as the major cyberattack reported in December 2020 that affected both government and private industry.

computer locks

Skip to Highlights
Highlights

What GAO Found

To implement the requirements of the Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018, CISA leadership within the Department of Homeland Security launched an organizational transformation initiative. The act elevated CISA to agency status; prescribed changes to its structure, including mandating that it have separate divisions on cybersecurity, infrastructure security, and emergency communications; and assigned specific responsibilities to the agency. (See figure 1 below.) CISA completed the first two of three phases of its organizational transformation initiative, which resulted in, among other things, a new organization chart, consolidation of multiple incident response centers, and consolidation of points of contact for infrastructure security stakeholders. Phase three is intended to fully implement the agency's planned organizational changes.

Figure 1: Five Key Responsibilities Assigned to the Cybersecurity and Infrastructure Security Agency (CISA)

Figure 1: Five Key Responsibilities Assigned to the Cybersecurity and Infrastructure Security Agency (CISA)

While CISA intended to fully implement the transformation by December 2020, it had completed 37 of 94 planned tasks for phase three by mid-February 2021. Among the tasks not yet completed, 42 of them were past their most recent planned completion dates. Included in these 42 are the tasks of finalizing the mission-essential functions of CISA's divisions and issuing a memorandum defining incident management roles and responsibilities across CISA. Tasks such as these appear to be critical to CISA's transformation initiative and accordingly its ability to effectively and efficiently carry out its cyber protection mission. In addition, the agency had not established an updated overall deadline for completing its transformation initiative. Until it establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, CISA will be hindered in meeting the goals of its organizational transformation initiative. This in turn may impair the agency's ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage.

Of 10 selected key practices for effective agency reforms previously identified by GAO, CISA’s organizational transformation generally addressed four, partially addressed five, and did not address one. For example, CISA generally addressed practices related to using data and evidence to support its planned reforms and engaging its employees in the organizational change process. The agency partially addressed practices related to, for example, defining goals and outcomes and conducting workforce planning. Workforce planning is especially important for CISA, given the criticality of hiring and retaining experts who, among other things, can help identify and respond to complex attacks. CISA did conduct an initial assessment of its cybersecurity workforce in 2019; however, it is still working on analyzing capability gaps and determining how to best fill those gaps. Finally, CISA did not address the practice of ensuring that its employee performance management system was aligned with its new organizational structure and transformation goals. Until it fully addresses workforce planning and the five other practices that are either partially or not addressed, CISA’s ability to leverage its organizational changes to effectively carry out its mission will be hindered.

Selected government and private-sector stakeholders from the 16 sectors considered to be critical infrastructures, such as banking and financial institutions, telecommunications, and energy, reported a number of challenges in coordinating with CISA. (See figure 2.)

Figure 2: Cybersecurity and Infrastructure Security Agency (CISA) Coordination Challenges Reported by Stakeholders Representing the 16 Critical Infrastructure Sectors

CISA has activities under way to mitigate some of these challenges, including tracking stakeholder inquiries to monitor the timeliness of responses and delivering briefings with intelligence tailored to stakeholder needs. However, it has not developed strategies to clarify changes to its organizational structure, have consistent stakeholder involvement in the development of guidance, and distribute information to all key stakeholders. Organizational structure and information distribution are both considered new challenges associated with the reorganization of CISA. Developing strategies to mitigate these challenges could help provide CISA with assurance that its stakeholders are receiving the information and support needed to make decisions about risks facing the nation's critical infrastructures.

Why GAO Did This Study

Threats to the nation's critical infrastructures and the information technology systems that support them require a concerted effort among federal agencies; state, local, tribal, and territorial governments; and the private sector to ensure their security. The seriousness of the threat was reinforced by the December 2020 discovery of a cyberattack that has had widespread impact on government agencies, critical infrastructures, and private-sector companies.

Federal legislation enacted in November 2018 established CISA to advance the mission of protecting federal civilian agencies' networks from cyber threats and to enhance the security of the nation's critical infrastructures in the face of both physical and cyber threats. To implement this legislation, CISA undertook a three-phase organizational transformation initiative aimed at unifying the agency, improving mission effectiveness, and enhancing the workplace experience for CISA employees.

GAO was asked to review CISA's organizational transformative initiative and its ability to coordinate effectively with stakeholders. The objectives of GAO's review were to (1) describe CISA's organizational transformation initiative, (2) assess the current progress of the initiative, (3) determine the extent to which CISA's transformation efforts align with key practices for effective agency reform, and (4) identify any challenges in CISA's coordination with stakeholders, and assess strategies the agency has developed to address such challenges.

To do this, GAO reviewed relevant information on CISA's efforts to develop an organizational transformation initiative to meet the requirements of the CISA Act of 2018. To assess the progress of CISA's efforts, GAO analyzed agency documentation to determine the status of activities related to the three phases of the organizational transformation and reasons for any delays in its progress. GAO also assessed CISA's efforts against selected key practices identified by GAO that can contribute to the effectiveness of agency reform efforts. In addition, GAO interviewed selected stakeholders related to CISA's primary mission areas to identify any pertinent challenges and analyzed strategies CISA developed to address these challenges.

Skip to Recommendations

Recommendations

GAO is making 11 recommendations to CISA:

  • Establish new expected completion dates for the phase three tasks that are past their completion dates, with priority given to tasks critical to mission effectiveness.
  • Establish an overall deadline for the completion of the transformation initiative.
  • Fully address each of the six reform practices that have been either partially or not addressed.
  • Develop strategies to mitigate each of the three infrastructure challenges that remain outstanding.

The Department of Homeland Security agreed with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security The Director of CISA should establish expected completion dates for those phase three tasks that are past their completion dates, with priority given to those tasks critical to mission effectiveness. (Recommendation 1)
Open
CISA concurred with this recommendation and in March 2021 agency leadership issued a memorandum that directed several actions to transition transformation activities into operational tasks for implementation by CISA's divisions and mission support offices. However, CISA has not yet detailed how the remaining phase three tasks have been allocated to its divisions and mission support offices. In September 2021, CISA stated that it will provide updated documentation to show the tasks have been allocated by December 31, 2021. Once CISA has provided information, we plan to verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should establish an overall deadline for the completion of the transformation initiative. (Recommendation 2)
Open
CISA concurred with this recommendation, and in March 2021 agency leadership issued a memorandum that directed several actions to transition transformation activities into operational tasks for implementation by CISA's divisions and mission support offices. According to CISA, this constituted the end of phase three of its transformation effort; however, CISA did not provide documentation which detailed how the remaining phase three tasks have been allocated to its divisions and mission support offices, or estimated time frames for completing these remaining tasks. In September 2021, the agency stated that it would provide additional documentation of these activities by December 31, 2021. Once CISA has provided this information, we will verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should establish plans, including time frames, for developing outcome-oriented performance measures to gauge the extent to which the agency's efforts are meeting the goals of the organizational transformation. (Recommendation 3)
Open
CISA concurred with this recommendation and in September 2021 described actions planned and under way to implement it. Specifically, the agency stated that it is developing a draft workplan and timeline to identify metrics and establish an outcome-oriented performance measurement approach. Once complete, CISA stated that this plan will, among other things, gauge the agency's efforts to meet the identified goals of the organizational transformation. CISA plans to complete its effort to identify outcome-oriented performance measures by March 31, 2022. Once CISA has provided documentation of its efforts, will will verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should collect input to ensure that organizational changes are aligned with the needs of stakeholders, taking into account coordination challenges identified in this report. (Recommendation 4)
Open
CISA concurred with this recommendation and in September 2021 stated that it will continue to work with other Sector Risk Management Agencies (SRMA) and with sector partners to define measures and associated data collection processes and procedures necessary to evaluate the effectiveness and performance of SRMAs. This will include the extent to which organizational changes within CISA, or any other SRMA, are aligned with the needs of sector stakeholders. CISA plans to complete this effort by December 30, 2022. Once CISA provides documentation of its actions, will will verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should establish processes for monitoring the effects of efforts to reduce fragmentation, overlap, and duplication including identifying potential cost savings. (Recommendation 5)
Open
CISA concurred with this recommendation and in September 2021 stated that it has conducted an initial methodological assessment of potential approaches to measure fragmentation, duplication, and overlap, as well as an initial review of a baseline analysis. Further, the agency stated that it plans to further refine its measurement approach, including estimates of cost savings generated by the reorganization. CISA plans to complete this effort by December 30, 2022. Once the agency provides documentation of its actions, we plan to verify that implementation has occurred.
Department of Homeland Security The Director of CISA should establish an approach, including time frames, for measuring outcomes of the organizational transformation, including customer satisfaction with organizational changes. (Recommendation 6)
Open
CISA concurred with this recommendation and in September 2021 stated that its Infrastructure Security Division , supported by the Stakeholder Engagement Division, will work with Sector Risk Management Agencies (SRMA) and with sector partners to define performance measures and associated data collection processes and procedures necessary to evaluate the overall performance and effectiveness of SRMAs. This will include customer satisfaction with organizational changes in CISA or other SRMAs. CISA plans to complete this effort by December 30, 2022. Once the agency has provided documentation of its actions, we plan to verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should develop a strategy for comprehensive workforce planning. (Recommendation 7)
Open
CISA concurred with this recommendation and in September 2021 stated that the agency's human capital office is currently working with to develop a framework for the workforce planning strategy, with the final product aligned to the goals, objectives, and priorities articulated in CISA's strategic planning. CISA plans to complete this effort by September 30, 2022. Once the agency provides documentation of its actions we plan to verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should take steps to align the agency's employee performance management system with its organizational changes and associated goals. (Recommendation 8)
Open
CISA concurred with this recommendation and in September 2021 provided information on adjustments it has planned or under way for its performance management system. These include how the performance management system was updated to include newly created divisions and mission support offices as a result of the transformation and how the three "pillars" of the organizational transformation are reflected in the performance management process. In addition, CISA described recent actions regarding the reassessment of its performance management system, specifically regarding a robust approach in educating the supervisory cadre on how to address poor performance and how it incentivizes and rewards top performers. The agency added that its human capital office is currently revising its existing performance management instruction and plans to complete this by March 31, 2022. Once we have received documentation from CISA regarding its actions we plan to verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should communicate relevant organizational changes to selected critical infrastructure stakeholders to ensure that these stakeholders know with whom they should be coordinating in CISA's organization. (Recommendation 9)
Open
CISA concurred with this recommendation and in September 2021 stated that it communicates all relevant organizational changes with selected critical infrastructure stakeholders through Sector Coordinating Councils and Government Coordinating Councils under the Critical Infrastructure Partnership Advisory Council structure defined in the National Infrastructure Protection Plan, last updated in 2013. The agency added that it believes this recommendation has been fully addressed and that no further action is required and will work with GAO to request closure of this recommendation. Once we have received documentation from the agency of its actions, we plan to verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should take steps, with stakeholder input, to determine how critical infrastructure stakeholders should be involved with the development of guidance for their sector. (Recommendation 10)
Open
CISA concurred with this recommendation and in September 2021 stated that in its role as the National Coordinator for the interagency mission to secure the nation's critical infrastructure, the agency is working closely with sector risk management agencies and private sector partners across all sixteen critical infrastructure sectors to address how critical infrastructure stakeholders should be involved with the development of guidance for their sector. CISA added that it plans to complete this effort by December 31, 2021. Once the agency has provided documentation of its actions, we plan to verify whether implementation has occurred.
Department of Homeland Security The Director of CISA should assess the agency's methods of communicating with its critical infrastructure stakeholders to ensure that appropriate parties are included in distribution lists or other communication channels. (Recommendation 11)
Open
CISA concurred with this recommendation and in September 2021 stated that its Infrastructure Security Division, supported by the Stakeholder Engagement Division, is working closely with sector risk management agencies (SRMA) and private sector partners across all 16 critical infrastructure sectors to assess the critical infrastructure partnership management processes, structures, and frameworks that have guided critical infrastructure security efforts in the U.S. since 2005. This includes the methods by which CISA, in both its National Coordinator and SRMA roles, and other SRMAs, communicate with critical infrastructure stakeholders to ensure that appropriate parties are included in distribution lists or other communication channels. The agency plans to complete this effort by December 31, 2021. Once CISA has provided documentation of these actions, we plan to verify whether implementation has occurred.

Full Report

GAO Contacts