DHS Sets List of National Critical Functions, Marking Shift from CI Sectors

Cybersecurity flag

The Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA) released a list of 55 “national critical functions” today, signaling a shift from protecting specific critical infrastructure sectors to protecting specific activities that are crucial to the country.

The functions are divided into four different areas:

  • Supply, which focuses on providing resources to the public;
  • Distribute, which has a heavy focus on the movement of goods and people;
  • Manage, which is the largest bucket with a variety of functions; and
  • Connect, which focuses on telecommunications and internet services.

To meet the threshold of a national critical function, an activity must be “so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof,” according to CISA’s definition.

“The National Critical Functions construct provides a risk management approach that focuses on better understanding the functions that an entity enables or to which it contributes, rather than focusing on a static sector-specific or asset world view,” CISA said in a statement.

Of particular interest to Federal IT will be functions such as:

  • Provide Information Technology Products and Services;
  • Conduct Elections;
  • Perform Cyber Incident Management Capabilities;
  • Protect Sensitive Information;
  • Provide Identity Management and Associated Trust Support Services;
  • Operate Core Network;
  • Provide Positioning, Navigation, and Timing Services; and
  • Provide Internet Based Content, Information, and Communication Services.

“Ultimately, the set of National Critical Functions is a launching pad for executing a more advanced approach to cybersecurity and critical infrastructure security and resilience. The National Critical Functions do not directly set national priorities but they support a more strategic way of doing so,” CISA stated.

The next step for the agency will be to create a risk register to find the scenarios, dependencies, risk attributes, and readiness that keeps industry up at night.

Categories

Recent