GAO: CISA Needs to Finish Organizational Transformation to Protect Nation’s Cybersecurity
Thursday, March 11, 2021 | Comments

The Government Accountability Office (GAO) said in a report that the Cybersecurity and Infrastructure Agency (CISA) must finish the third phase of its organizational transformation in order to be able to fully identify and respond to cyber attacks.

In 2018, Congress passed the Cybersecurity and Infrastructure Security Act, which led to the Department of Homeland Security (DHS) launching an organizational transformation initiative. As part of that reorganization, DHS elevated CISA to agency status within the organization and prescribed changes to its structure, including mandating that it have separate divisions on cybersecurity, infrastructure security and emergency communications. At the time, DHS also assigned specific responsibilities to the agency.

So far, CISA has completed the first two of three phases of its organizational transformation initiative, which resulted in, among other things, a new organization chart, consolidation of multiple incident response centers and consolidation of points of contact for infrastructure security stakeholders. Phase three is intended to fully implement the agency's planned organizational changes.

CISA intended to fully implement the transformation by December, but it had only completed 37 of 94 planned tasks for phase three by mid-February. Among the tasks not yet completed, 42 of them were past their most recent planned completion dates. Included in these 42 are the tasks of finalizing the mission-essential functions of CISA's divisions and issuing a memorandum defining incident management roles and responsibilities across CISA.

GAO said that tasks such as these appear to be critical to CISA's transformation initiative and accordingly, its ability to effectively and efficiently carry out its cyber protection mission. In addition, GAO noted that the agency had not established an updated overall deadline for completing its transformation initiative.

“Until it establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, CISA will be hindered in meeting the goals of its organizational transformation initiative,” the GAO said. “This in turn may impair the agency's ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage.”

Of 10 selected key practices for effective agency reforms previously identified by GAO, CISA’s organizational transformation generally addressed four, partially addressed five, and did not address one, GAO said.

“For example, CISA generally addressed practices related to using data and evidence to support its planned reforms and engaging its employees in the organizational change process,” the GAO report said. “The agency partially addressed practices related to, for example, defining goals and outcomes and conducting workforce planning. Workforce planning is especially important for CISA, given the criticality of hiring and retaining experts who, among other things, can help identify and respond to complex attacks. CISA did conduct an initial assessment of its cybersecurity workforce in 2019; however, it is still working on analyzing capability gaps and determining how to best fill those gaps. Finally, CISA did not address the practice of ensuring that its employee performance management system was aligned with its new organizational structure and transformation goals. Until it fully addresses workforce planning and the five other practices that are either partially or not addressed, CISA’s ability to leverage its organizational changes to effectively carry out its mission will be hindered.”

GAO said that it talked with private and government stakeholders in 16 sectors who said that they had faced some challenges in coordinating with CISA.

“CISA has activities under way to mitigate some of these challenges, including tracking stakeholder inquiries to monitor the timeliness of responses and delivering briefings with intelligence tailored to stakeholder needs,” the GAO report said. “However, it has not developed strategies to clarify changes to its organizational structure, have consistent stakeholder involvement in the development of guidance and distribute information to all key stakeholders. Organizational structure and information distribution are both considered new challenges associated with the reorganization of CISA. Developing strategies to mitigate these challenges could help provide CISA with assurance that its stakeholders are receiving the information and support needed to make decisions about risks facing the nation's critical infrastructures.”

GAO made 11 recommendations on how CISA can reach its full potential and the DHS agreed with them. Find the full report here. Would you like to comment on this story? Find our comments system below.

Post a comment
Name: *
Email: *
Title: *
Comment: *


No Comments Submitted Yet

Be the first by using the form above to submit a comment!


August 2022

7 - 10
APCO Conference and Expo 2022
Anaheim, California

More Events >

Site Navigation