The Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center (NRMC) is cataloguing significant progress it has made in developing its “National Critical Functions” (NCF) framework, and pointing to next steps in the effort.
NRMC Director Bob Kolasky provided the critical infrastructure community with an overview and update on what CISA has done so far, and where the agency would like to go moving forward to enhance the nation’s critical infrastructure risk management capabilities.
The NCFs are intended to support national-level risk prioritization and governance. In 2019, CISA began publishing the first set of NCFs. The 55 NCFs currently available “represent a foundational shift that enables identification and prioritization of systemic risk to critical infrastructure,” Kolasky wrote in a Dec. 15 memo.
The functions focus on 16 sectors that the Department of Homeland Security has traditionally used to define critical infrastructure – including the key assets, systems, and networks that support them, as well as the critical technologies and dependencies that enable them.
Over the last few years, the NRMC has attempted to understand better the processes, systems, technologies, and governance that support the provisions within each NCF.
“This process, called functional decomposition, enables a deeper understanding of how entities come together to produce critical functions,” according to the report attached to the memo. “The decomposition identifies all the layers that produce or deliver an NCF, as well as numerous dependencies and interdependencies within and across each NCF.”
Currently, the NRMC is working with interagency and private sector partners to validate the decompositions. To date, the NRMC’s decomposition work has identified 294 primary sub-functions and 1,059 secondary sub-functions. In many instances, the NRMC has decomposed NCFs even further, with a total of 3,319 subfunctions identified across all 55 NCFs.
“As we move forward, the NRMC will continue to further mature, refine, and operationalize the NCF Framework to identify, prioritize, and mitigate national-level risks in partnership with the Federal Senior Leadership Council and critical infrastructure partners. This will include informing and reinforcing CISA priorities and strategic mitigation capabilities like the Joint Cyber Defense Collaborative,” Kolasky wrote.