The Cybersecurity and Infrastructure Security Agency is working to identify the most vulnerable critical infrastructure organizations across the nation this year, with the agency also establishing an office to coordinate its engagement with those groups.
The agency is moving to identify “systemically important entities” by the end of September, CISA Director Jen Easterly told the Cybersecurity Advisory Committee this week.
“We plan to work very closely with the sector risk management agencies to identify initial systemically important entities and develop a program for enhanced engagement with those previously identified entities,” Eaterly said during the March 21 meeting.
CISA will also set up a systemically important entities program office, she added. The fiscal 2023 appropriations agreement included $1.8 million for CISA to set up an “outreach and engagement support” office for systemically important entities.
The advisory committee had recommended CISA “work with sectors to analyze national critical functions and identify key partners in national resiliency” in a report released last September.
CISA defines systemically important entities as those “with primary responsibility for operating National Critical Functions (NCFs), whereby an impact on those entities would create systemic risk for the associated NCF.”
The push to identify the most critical infrastructure nodes was sparked by the Cyber Solarium Commission and carried forward by both CISA and various lawmakers. That includes former House Homeland Security Committee Ranking Member John Katko (R-N.Y.), who introduced “systemically important critical infrastructure (SICI)” legislation multiple times during his tenure.
“If everything is SICI, if you want to say, then nothing really is SICI,” Katko said during a 2021 event. “So we’ve got to drill down and, with the input from the private sector, drill down in a collaborative manner to identify what’s truly critical and then dedicate additional resources to those sectors so that we can at least be as sure as we possibly can be that those sectors are as secure as they can be from ransomware attacks and cyber intrusions.”
“This rewrite effort will clarify and, as necessary, create new federal policy for: (1) how sectoral, cross-sectoral, and systemic risk is identified, assessed and managed; (2) the roles and responsibilities of Sector Risk Management Agencies (SRMAs) to manage and respond to risk in their sectors; and (3) CISA’s role as National Coordinator to lead the national effort to secure and protect critical infrastructure against the myriad of threats and risks faced by the United States, including the responsibility to define critical infrastructure sectors and designate appropriate SRMAs across the federal government,” CISA wrote.
“The 55 NCFs represent a foundational shift that enable the identification and prioritization of systemic risk to critical infrastructure by focusing on the functions, the key assets, systems and networks that support them, as well as the critical technologies and dependencies that enable them,” a 2021 NRMC report states. “The NCF Framework is based on the idea that critical infrastructure is increasingly cross-sector, and that a siloed approach is not sufficient to manage risk, particularly around cybersecurity.”
During this week’s meeting, Cybersecurity Advisory Committee Chairman Tom Fanning, the chief executive of Southern Company, noted “the real key” is getting the private sector to work with the NRMC on understanding and prioritizing interdependencies across both public and privately owned critical infrastructure. He said the advisory committee held several tabletop exercises “to break the system.”
“And in breaking the system, we learned how to protect it better,” Fanning continued. “I think work that lays ahead of us, to build on work that’s already occurred, is this notion of continuity of the economy. When things go wrong, how do we stand ourselves back up and prevent that bad day in America from happening?”