Critical Infrastructure Protection: CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector
Fast Facts
The communications sector—comprising mostly private broadcast, cable, satellite, wireless, and wired systems and networks—is vital to national security.
The Cybersecurity and Infrastructure Security Agency supports the security and resilience of this sector, primarily through incident management and information-sharing activities. For instance, the agency coordinates federal activities during severe weather events, and manages cybersecurity programs.
However, the agency has not assessed the effectiveness of its programs and services to support this sector. We recommended that it do so.
Highlights
What GAO Found
The Communications Sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and sector stakeholders.
Examples of Potential Security Threats to the Communications Sector
In addition, CISA determined that the Communications Sector depends on other critical infrastructure sectors—in particular, the Energy, Information Technology, and Transportation Systems Sectors—and that damage, disruption, or destruction to any one of these sectors could severely impact the operations of the Communications Sector.
CISA primarily supports the Communications Sector through incident management and information-sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs, but has not assessed the effectiveness of these actions. For example, CISA has not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA's cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services. By assessing the effectiveness of its programs and services, CISA would be better positioned to identify its highest priorities.
CISA has also not updated the 2015 Communications Sector-Specific Plan, even though DHS guidance recommends that such plans be updated every 4 years. As a result, the current 2015 plan lacks information on new and emerging threats to the Communications Sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation, and timing services. Developing and issuing an updated plan would enable CISA to set goals, objectives, and priorities that address threats and risks to the sector, and help meet its sector risk management agency responsibilities.
Why GAO Did This Study
The Communications Sector, one of 16 critical infrastructure sectors, is vital to the United States. Its incapacitation or destruction could have a debilitating impact on the safety and security of our nation. The private sector owns and operates the majority of communications infrastructure, including broadcast, cable, satellite, wireless, and wireline systems and networks. DHS's CISA is the lead federal agency responsible for supporting the security and resilience of the sector.
GAO examined (1) the security threats CISA has identified to the sector, (2) how CISA supports the sector, and (3) the extent to which CISA has assessed its support and emergency preparedness for the sector. GAO reviewed DHS reports, plans, and risk assessments on the sector and interviewed CISA officials and private sector stakeholders to identify and evaluate CISA's actions to support the security and resilience of the Communications Sector.
Recommendations
GAO is making three recommendations to CISA, including that CISA assess the effectiveness of its support to the Communications Sector, and revise its Communications Sector-Specific Plan. The Department of Homeland Security concurred with the recommendations. The Department of Commerce and the Federal Communications Commission did not provide comments on the draft report.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. (Recommendation 1) |
In November 2021, we reported that CISA had numerous programs and services to support the security and resilience of the Communications Sector, but CISA had not assessed the effectiveness of these actions. Specifically, we found that CISA (1) had not evaluated its programs and services to determine which sector owners and operators may benefit most from participation, and (2) had not developed or implemented metrics or analyzed feedback received from sector owners and operators on its programs and services. We recommended the Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. CISA concurred with our recommendation and, in February 2023, informed us that it developed an Emergency Support Function #2 feedback form that is made available to sector stakeholders to provide input on the usefulness and relevance of CISA's activities. CISA stated that responses to the survey will be analyzed and used to create metrics on a quarterly basis, to include an annual assessment with recommendations to improve the agency's support of the Communications Sector. However, as of March 2025, CISA informed us that agency efforts in support of this recommendation were delayed pending the results of an ongoing review of national policies including National Security Memorandum (NSM) 22 on Critical Infrastructure Security and Resilience, which updated national policy on how the U.S. government protects and secures critical infrastructure. Specifically, CISA informed that activities were delayed due to a White House executive order issued in March 2025 that requires a review of all critical infrastructure policies, to include NSM 22, and recommend changes. The executive order calls for this effort to be conducted within 180 days (i.e., September 15, 2025) of the order. Until this review is complete and related policy decisions have been finalized, it is unclear when CISA will fully implement this recommendation. We will continue to monitor the agency's progress on implementing this recommendation.
|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. (Recommendation 2) |
In November 2021, we reported that CISA had taken actions to support emergency preparedness for the Communications Sector, but had not completed an assessment of its capabilities to perform as the federal coordinator for Emergency Support Function #2 (ESF #2), as called for in Federal Emergency Management Agency (FEMA) guidance. As a result, we recommended the Director of CISA should complete a capability assessment for ESF #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. CISA concurred with our recommendation and, in March 2023, provided us with documentation to illustrate that (1) a Primary Alternate Contingency Emergency initiative, which served as the capability gap analysis, had been partially implemented in 2022; and (2) an updated ESF #2 Concept of Operations (CONOPS) document was in development that will identify roles and responsibilities, establish requirements, and maintain a current list of department and agency capabilities. CISA reported in November 2023 that the goal was to complete the ESF #2 CONOPS by end-December 2023 but noted that ESF #2 encountered several real-world disaster response activations which delayed its progress. In the interim, CISA created and implemented proposed changes to ESF #2 guidance on operations until the ESF #2 CONOPS is finished. In February and November 2024, CISA reported that the development and finalization of the ESF #2 CONOPS was still ongoing. However, as of February 2025, CISA informed that completion of the updated ESF #2 CONOPS was delayed to allow new agency leadership to review the document. We will continue to monitor the agency's progress on implementing this recommendation.
|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. (Recommendation 3) |
In November 2021, we reported that CISA had not produced an updated Communications Sector-Specific Plan since 2015 even though, according to DHS's National Infrastructure Protection Plan (National Plan), each critical infrastructure sector should update its sector-specific plan every 4 years to reflect sector priorities and describe national preparedness efforts, among other things. During our review, CISA officials acknowledged that certain elements of the plan were out of date and agreed the plan should be revised. As a result, we recommended the Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. CISA concurred with our recommendation and in May 2022, informed that the agency planned to update the Communications Sector-Specific Plan upon completion of updates to the National Plan, which was to incorporate key provisions of the FY 2021 National Defense Authorization Act that codified and clarified Sector Risk Management Agency roles and responsibilities. In November 2023, CISA provided an update stating that it remained committed to addressing this recommendation but that updates to the National Plan were on hold until the White House completed its review of Presidential Policy Directive (PPD) 21. Subsequently, in March 2024, CISA informed that updates to the National Plan continued to be on hold until National Security Memorandum (NSM) 22, which superseded PPD 21, was completed. However, as of March 2025, CISA informed that agency efforts in support of this recommendation continue to be delayed pending the results of an ongoing review of national policies, including NSM 22, outlining how the U.S. government protects and secures critical infrastructure. Until this review is complete, and related policy decisions have been finalized, it is unclear when CISA will fully implement this recommendation. We will continue to monitor the agency's progress on implementing this recommendation.
|