Critical Infrastructure Protection: CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector
Fast Facts
The communications sector—comprising mostly private broadcast, cable, satellite, wireless, and wired systems and networks—is vital to national security.
The Cybersecurity and Infrastructure Security Agency supports the security and resilience of this sector, primarily through incident management and information-sharing activities. For instance, the agency coordinates federal activities during severe weather events, and manages cybersecurity programs.
However, the agency has not assessed the effectiveness of its programs and services to support this sector. We recommended that it do so.
Highlights
What GAO Found
The Communications Sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and sector stakeholders.
Examples of Potential Security Threats to the Communications Sector
In addition, CISA determined that the Communications Sector depends on other critical infrastructure sectors—in particular, the Energy, Information Technology, and Transportation Systems Sectors—and that damage, disruption, or destruction to any one of these sectors could severely impact the operations of the Communications Sector.
CISA primarily supports the Communications Sector through incident management and information-sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs, but has not assessed the effectiveness of these actions. For example, CISA has not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA's cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services. By assessing the effectiveness of its programs and services, CISA would be better positioned to identify its highest priorities.
CISA has also not updated the 2015 Communications Sector-Specific Plan, even though DHS guidance recommends that such plans be updated every 4 years. As a result, the current 2015 plan lacks information on new and emerging threats to the Communications Sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation, and timing services. Developing and issuing an updated plan would enable CISA to set goals, objectives, and priorities that address threats and risks to the sector, and help meet its sector risk management agency responsibilities.
Why GAO Did This Study
The Communications Sector, one of 16 critical infrastructure sectors, is vital to the United States. Its incapacitation or destruction could have a debilitating impact on the safety and security of our nation. The private sector owns and operates the majority of communications infrastructure, including broadcast, cable, satellite, wireless, and wireline systems and networks. DHS's CISA is the lead federal agency responsible for supporting the security and resilience of the sector.
GAO examined (1) the security threats CISA has identified to the sector, (2) how CISA supports the sector, and (3) the extent to which CISA has assessed its support and emergency preparedness for the sector. GAO reviewed DHS reports, plans, and risk assessments on the sector and interviewed CISA officials and private sector stakeholders to identify and evaluate CISA's actions to support the security and resilience of the Communications Sector.
Recommendations
GAO is making three recommendations to CISA, including that CISA assess the effectiveness of its support to the Communications Sector, and revise its Communications Sector-Specific Plan. The Department of Homeland Security concurred with the recommendations. The Department of Commerce and the Federal Communications Commission did not provide comments on the draft report.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. (Recommendation 1) |
Open
In November 2021, we reported that CISA had numerous programs and services to support the security and resilience of the Communications Sector, but CISA had not assessed the effectiveness of these actions. Specifically, we found that CISA had not developed or implemented metrics or analyzed feedback received from Communications Sector owners and operators to determine if those entities found its programs and services useful or relevant. Further, CISA had not evaluated its programs and services to determine which types of Communications Sector owners and operators may benefit most from participation. Consequently, we recommended the Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. CISA concurred with our recommendation and, in February 2023, informed us that it developed an Emergency Support Function #2 feedback form that is made available to Communications Sector stakeholders so that they may provide insight on the usefulness and relevance of CISA's activities. CISA stated that responses to the survey will be reviewed and used to conduct analysis on the feedback and create metrics on a quarterly basis, to include an annual assessment which will provide recommendations to improve the agency's support of the Communications Sector. However, as of November 2023, CISA also stated that it has not yet collected a sufficient number of responses to conduct a meaningful analysis on the feedback. To fully implement this recommendation, CISA needs to complete the efforts outlined above. According to CISA, it expects to be able to fully address our recommendation by March 29, 2024. We will obtain an update on the status of this recommendation from CISA in April 2024
|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. (Recommendation 2) |
Open
In November 2021, we reported that CISA had taken actions to support emergency preparedness for the Communications Sector, but had not completed an assessment of its capabilities to perform as the federal coordinator for Emergency Support Function #2 (ESF #2), as called for in Federal Emergency Management Agency (FEMA) guidance. As a result, we recommended the Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. CISA concurred with our recommendation and, in March 2023, provided us with documentation to illustrate that a Primary Alternate Contingency Emergency (PACE) initiative, which served as the capability gap analysis, had been partially implemented in 2022. The ongoing PACE initiative will assist in the development of an updated ESF #2 Concept of Operations (CONOPS) document that will identify roles and responsibilities, establish requirements, and maintain a current list of department and agency capabilities. CISA reported in November 2023 that the goal is to complete the ESF #2 CONOPS by December 31, 2023, noting that ESF #2 encountered several real-world disaster response activations which delayed progress developing the CONOPS. In the interim, CISA/IOD created and implemented proposed changes to ESF #2 guidance on operations until the ESF #2 CONOPS is finished. We will continue to monitor the agency's progress on this recommendation.
|
| Cybersecurity and Infrastructure Security Agency | The Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. (Recommendation 3) |
Open
In November 2021, we reported that CISA had not produced an updated Communications Sector-Specific Plan since 2015 even though, according to DHS's National Infrastructure Protection Plan, each critical infrastructure sector should update its sector-specific plan every 4 years to reflect sector priorities and describe national preparedness efforts, among other things. During our review, CISA officials told us that the agency had not revised its Communications Sector-Specific Plan because the majority of the plan was still valid; however, these officials also acknowledged that certain elements of the plan were out of date and agreed the plan should be revised. As a result, we recommended the Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. CISA concurred with our recommendation and, in May 2022, informed us that its Stakeholder Engagement Division plans to update the Communications Sector-Specific Plan upon completion of updates to the National Plan, which will incorporate key provisions of the FY 2021 National Defense Authorization Act that codified and clarified Sector Risk Management Agency roles and responsibilities. In November 2023, CISA provided an update stating that it remains committed to addressing this recommendation; however, updates to the National Plan are on hold until the White House completes its review of Presidential Policy Directive 21. According to CISA, in coordination with public and private Communications Sector stakeholders, CISA's Stakeholder Engagement Division still intends to develop a new, updated Communications Sector-Specific Plan following completion of updates to the National Plan, which is now expected to be complete by the end of FY 2025. We will continue to monitor the agency's progress on this recommendation.
|