The Cybersecurity and Infrastructure Security Agency has spent the past year fine tuning the details of a “foundational shift” in how the agency manages risks, such as cyber attacks and climate change, to key U.S. sectors.
Over the past 12 months, CISA’s National Risk Management Center made “significant progress” in developing the “National Critical Functions” framework, Bob Kolasky, assistant director for the NRMC, wrote in a Dec. 15 memo.
Since 2019, the center has been defining a set of 55 functions to guide a “national-level risk management framework,” he wrote. The functions cut across the 16 sectors that the Department of Homeland Security has traditionally used to define critical infrastructure.
“The 55 NCFs represent a foundational shift that enable the identification and prioritization of systemic risk to critical infrastructure by focusing on the functions, the key assets, systems, and networks that support them, as well as the critical technologies and dependencies that enable them,” Kolasky wrote. “The NCF Framework is based on the idea that critical infrastructure is increasingly cross-sector, and that a siloed approach is not sufficient to manage risk, particularly around cybersecurity.
The concept of looking at critical systems and functions, rather than individual sectors and companies, has been a driving force behind the center since its launch in 2018.
Over the past year, the center worked with other agencies and the private sector to identify “sub-functions” involved in each of the 55 NCFs. The center has so far identified 294 “primary” sub-functions and 1,059 “secondary” sub-functions out of a total of 3,319 sub-functions, according to the report.
“This more nuanced understanding helps identify where failures might occur and may point to sustainable risk reduction solutions,” the report states. “Applying this approach to the nation’s critical functions helps the NRMC identity dependencies and support the resilience of NCFs in a more targeted, prioritized, and strategic manner.”
The center has identified six main areas of risk to the functions: Cyber attacks; the supply chain; misinformation, disinformation and malinformation; natural hazards and climate change; pandemics; and terrorism, according a report attached to Kolasky’s memo.
CISA also identifies several shared vulnerabilities across the functions, including chronic underinvestment, dependence on common technology, foreign dependencies, and poor cyber hygiene.
Jim Lewis, director of the strategic technologies program at the Center for Strategic and International Studies, said the NCF framework gives CISA and DHS a “methodology for managing risk.”
“It’s not just ad hoc anymore, not just sort of whatever they feel like that week,” Lewis said. “It’s very systematic. . . . It’s professionalizing the risk management function of DHS.”
The push to take a more nuanced view of risks in critical infrastructure also has some congressional backing. House Homeland Security Ranking Member John Katko (R-N.Y.) put forward legislation this year that would authorize CISA to designate “systemically important critical infrastructure,” or SICI. The bill would also require the agency to provide SICI owners with “front of the line services” for technical assistance and participation in CISA programs, such as continuous monitoring and detection services.
“If everything is SICI, if you want to say, then nothing really is SICI,” Katko said during an Oct. 29 CSIS event. “So we’ve got to drill down and, with the input from the private sector, drill down in a collaborative manner to identify what’s truly critical and then dedicate additional resources to those sectors so that we can at least be as sure as we possibly can be that those sectors are as secure as they can be from ransomware attacks and cyber intrusions.”
The House has yet to take action on the bill, but CISA Director Jen Easterly said the agency isn’t waiting on legislation to carry the concept forward.
“We’re going to move forward and do it whether it ends up in legislation or not,” Easterly said during the same CSIS event. “But I think that signaling, that ending up in law will be very helpful in continuing to bring the private sector to the table because I think, we’re in a state now where our critical infrastructure is much more vulnerable than it should be. And frankly, that’s what I worry about most every day.”
A new “Federal Risk Management Working Group” is leading implementation of the NCF Framework under the Federal Senior Leadership Council, according to Kolasky’s report. The working group includes “interagency representatives who will help coordinate interagency efforts to support CISA and FSLC decision-making for NCF risk identification, analysis, prioritization, and mitigation,” he wrote.
CISA is also updating the 2013 “National Infrastructure Protection Plan” to reflect the new functions framework, according to Kolasky’s report. A September report from the DHS Inspector General urged CISA to update the eight-year-old plan. CISA told the IG it would finish the update by September 2022.
“The update will further the goal of breaking down organizational silos through identification, prioritization, and reduction of shared risks,” Kolasky’s report states. “Since a majority of critical infrastructure is privately-owned, effective risk management depends on private sector and government collaboration to understand systemic risk, and how threats may impact one or more NCFs.”
The NRMC is using the functions framework to carry out risk assessments, including the identification of “priority infrastructure, technology or resources.”
The center already identified which functions are most susceptible to electromagnetic pulse attacks, and it’s in the process of doing so for “hazards associated with climate change,” according to the report.
The functions are also guiding the center’s outreach efforts, including for COVID-19 risk mitigation, and they’re also being used to guide risk assessments for emerging technologies like fifth-generation wireless technologies and post-quantum algorithms.
Going forward, the NRMC “will continue to further mature, refine and operationalize the NCF Framework to identify, prioritize and mitigate national level risks in partnership with the Federal Senior Leadership Council and critical infrastructure partners,” Kolasky wrote.
He added the center’s efforts would include “informing and reinforcing” CISA priorities and capabilities, including the Joint Cyber Defense Collaborative.
Lewis said the strategy laid out in Kolasky’s update represent “a very professional approach to risk management,” but now it’s a matter of putting the plan into operation.
He said the center and CISA more broadly will likely need more personnel to help carry it out. And it will need to work with sector-specific risk management agencies to take action based on the risk assessments.
“Some sectors do a really good job,” Lewis said. “Usually, they’re the heavily regulated ones, and other sectors don’t. So when you look at telecom, or finance, they’re in pretty good shape. We saw what happened with pipelines and the voluntary guidelines, which have changed. The big question is, what needs to be mandatory? When they when they run this model, it will tell them, ‘Here’s where the risks are.’ And then you have to say, ‘Well, do we mandate a fix?’”