Critical Infrastructure Protection: CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector
The communications sector—comprising mostly private broadcast, cable, satellite, wireless, and wired systems and networks—is vital to national security.
The Cybersecurity and Infrastructure Security Agency supports the security and resilience of this sector, primarily through incident management and information-sharing activities. For instance, the agency coordinates federal activities during severe weather events, and manages cybersecurity programs.
However, the agency has not assessed the effectiveness of its programs and services to support this sector. We recommended that it do so.
What GAO Found
The Communications Sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and sector stakeholders.
Examples of Potential Security Threats to the Communications Sector
In addition, CISA determined that the Communications Sector depends on other critical infrastructure sectors—in particular, the Energy, Information Technology, and Transportation Systems Sectors—and that damage, disruption, or destruction to any one of these sectors could severely impact the operations of the Communications Sector.
CISA primarily supports the Communications Sector through incident management and information-sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs, but has not assessed the effectiveness of these actions. For example, CISA has not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA's cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services. By assessing the effectiveness of its programs and services, CISA would be better positioned to identify its highest priorities.
CISA has also not updated the 2015 Communications Sector-Specific Plan, even though DHS guidance recommends that such plans be updated every 4 years. As a result, the current 2015 plan lacks information on new and emerging threats to the Communications Sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation, and timing services. Developing and issuing an updated plan would enable CISA to set goals, objectives, and priorities that address threats and risks to the sector, and help meet its sector risk management agency responsibilities.
Why GAO Did This Study
The Communications Sector, one of 16 critical infrastructure sectors, is vital to the United States. Its incapacitation or destruction could have a debilitating impact on the safety and security of our nation. The private sector owns and operates the majority of communications infrastructure, including broadcast, cable, satellite, wireless, and wireline systems and networks. DHS's CISA is the lead federal agency responsible for supporting the security and resilience of the sector.
GAO examined (1) the security threats CISA has identified to the sector, (2) how CISA supports the sector, and (3) the extent to which CISA has assessed its support and emergency preparedness for the sector. GAO reviewed DHS reports, plans, and risk assessments on the sector and interviewed CISA officials and private sector stakeholders to identify and evaluate CISA's actions to support the security and resilience of the Communications Sector.
Recommendations
GAO is making three recommendations to CISA, including that CISA assess the effectiveness of its support to the Communications Sector, and revise its Communications Sector-Specific Plan. The Department of Homeland Security concurred with the recommendations. The Department of Commerce and the Federal Communications Commission did not provide comments on the draft report.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. (Recommendation 1) |
In November 2021, we reported that CISA had numerous programs and services to support the security and resilience of the Communications Sector, but CISA had not assessed the effectiveness of these actions. Specifically, we found that CISA had not developed metrics or analyzed feedback received from Communications Sector owners and operators to determine if those entities found its programs and services useful or relevant. Further, CISA had not evaluated its programs and services to determine which types of Communications Sector owners and operators may benefit most from participation. Consequently, we recommended the Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. CISA concurred with our recommendation and, in May 2022, informed us that it is in the process of updating the existing National Infrastructure Protection Plan to include, as specified in the Fiscal Year 2021 National Defense Authorization Act, the codification and clarification of roles and responsibilities of Sector Risk Management Agencies and a government-wide requirement to evaluate and report on the effectiveness in carrying out these responsibilities. CISA informed us that the updated National Plan will define processes and timelines by which all Sector Risk Management Agencies will capture, monitor, assess, measure, and document overall performance, including through metrics that evaluate the usefulness and relevance of the activities supporting sector security and resilience. As the Sector Risk Management Agency for the Communications Sector, CISA stated that it will support sector goals articulated in the updated National Plan by incorporating performance metrics and data collection and reporting processes and timelines, including approaches for collecting sector stakeholder feedback, in an updated Communications Sector-Specific Plan. CISA reported that the updated National Plan is expected to be completed by the end of 2022, and the updated Communications Sector-Specific Plan will subsequently be completed by the end of March 2023. We will continue to monitor the agency's progress on this recommendation.
|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. (Recommendation 2) |
In November 2021, we reported that CISA had taken actions to support emergency preparedness for the Communications Sector, but had not completed an assessment of its capabilities to perform as the federal coordinator for Emergency Support Function #2, as called for in Federal Emergency Management Agency (FEMA) guidance. As a result, we recommended the Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. CISA concurred with our recommendation, and in May 2022, informed us that CISA's Integrated Operations Division engaged with FEMA's Office of Response and Recovery Directorate on two primary lines of effort to address it. Specifically, CISA worked with FEMA to update the Emergency Support Function #2 - Communications Annex of the National Response Framework in order to update terminology and add the Federal Communications Commission as a supporting agency, which was completed in September 2021. Second, CISA and FEMA are in the process of updating the August 2016 Response and Recovery Federal Interagency Operations Plan, Annex K - Communications to include information on the processes and mechanisms for establishing requirements. Furthermore, as of May 2022, CISA reported that it has updated and expanded the list of Emergency Support Function #2 capabilities and initiated an on-going capability gap analysis to identify where other resources may be needed to support and implement these requirements. CISA anticipates that it will finalize efforts to close this recommendation by September 30, 2022. We will continue to monitor the agency's progress on this recommendation.
|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. (Recommendation 3) |
In November 2021, we reported that CISA had not produced an updated Communications Sector-Specific Plan since 2015 even though, according to DHS's National Infrastructure Protection Plan, each critical infrastructure sector should update its sector-specific plan every 4 years to reflect sector priorities and describe national preparedness efforts, among other things. During our review, CISA officials told us that CISA had not updated its Communications Sector-Specific Plan because the majority of the plan was still valid; however, these officials also acknowledged that certain elements of the plan were out of date and agreed the plan should be revised. As a result, we recommended the Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. CISA concurred with our recommendation and, in May 2022, informed us that its Stakeholder Engagement Division plans to update the Communications Sector-Specific Plan upon completion of updates to the National Plan, which will incorporate key provisions of the January 2021 National Defense Authorization Act that codified and clarified Sector Risk Management Agency roles and responsibilities. According to CISA, the revised Communications Sector-Specific Plan, to be developed in coordination with public and private Communications Sector stakeholders, will describe agreed-upon processes and mechanisms by which sector partners identify, prioritize, and address new and emerging threats as well as goals, objectives, and priorities relating to specific threats within the sector. CISA estimates that the new, updated Communications Sector-Specific Plan will be completed by the end of March 2023. We will continue to monitor the agency's progress on this recommendation.
|