GAO Says CISA Should Assess Its Efforts to Protect Communications Sector
Tuesday, November 23, 2021 | Comments

The Government Accountability Office (GAO) said that the Cybersecurity and Infrastructure Security Agency (CISA) should assess the effectiveness of its programs and services aimed at protecting the communications sector.

CISA supports the security and resilience of the sector, primarily through incident management and information-sharing activities, such as coordinating federal activities during severe weather events and managing cybersecurity programs.

The communications sector is an integral component of the U.S. economy and faces serious physical, cyber-related and human threats that could affect the operations of local, regional, and national level networks, according to CISA and sector stakeholders. In addition, CISA determined that the communications sector depends on other critical infrastructure sectors — in particular, the energy, information technology and transportation systems sectors — and that damage, disruption or destruction to any one of these sectors could severely impact the operations of the communications sector.

The GAO noted that while CISA supports the communications sector through incident management and information-sharing activities, it has not assessed the effectiveness of those actions. For example, the organization said, CISA has not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA's cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services. By assessing the effectiveness of its programs and services, CISA would be better positioned to identify its highest priorities, the GAO said.

The GAO also noted that CISA has not updated its “2015 Communications Sector-Specific Plan,” even though Department of Homeland Security (DHS) guidance recommends that such plans be updated every four years. As a result, the current 2015 plan lacks information on new and emerging threats to the communications sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation and timing (PNT) services. Developing and issuing an updated plan would enable CISA to set goals, objectives and priorities that address threats and risks to the sector and help meet its sector risk management agency responsibilities, GAO said.

GAO made three recommendations on actions that CISA could take. Those actions are:
• Assessing the effectiveness of its programs and services supporting the communications sector, including developing and implementing metrics and analyzing feedback received from owners and operators to determine the usefulness and relevance of its activities to support sector security and resilience.
• The CISA director should complete a capability assessment for emergency support function (ESF) 2, such as establishing requirements, maintaining a list of current capabilities and conducting a capability gap anaylsis to identify if and where other resources may be needed.
• The CISA director should, in coordination, with public and private communications sectors stakeholders, produce a revised “Communications Sector-Specific Plan” to include goals, objectives and priorities that address new and emerging threats and risks to the sector and that are in alignment with sector risk management agency responsibilities.

Find the full report here.

Would you like to comment on this story? Find our comments system below.



 
 
Post a comment
Name: *
Email: *
Title: *
Comment: *
 

Comments

No Comments Submitted Yet

Be the first by using the form above to submit a comment!

Site Navigation

Close