A new report from the Government Accountability Office (GAO) is urging the Cybersecurity and Infrastructure Security Agency (CISA) to improve its workforce planning functions and collaboration with critical infrastructure providers as it helps those providers to address security weaknesses in operational technologies (OT).
The March. 7 report surveyed more than a dozen non-Federal entities on their interactions with CISA for OT security-related products and services, and found that results were mixed.
Of the 13 non-Federal entities surveyed, 12 reported “positive experiences” with CISA, while seven said that “negative experiences” with the agencies posed problems. Those included issues with timeliness of vulnerability disclosures and “insufficient CISA staff with requisite OT skills.”
“For example, CISA officials stated that its four federal employees and five contractor staff on the threat hunting and incident response service are not enough staff to respond to significant attacks impacting OT systems in multiple locations at the same time,” the report says.
“Seven selected nonfederal entities identified negative experiences using CISA’s products and services as a challenge,” the report says. “For example, one nonfederal entity told GAO that vulnerabilities reported through CISA’s process often take more than a year between the initial report of a vulnerability and public disclosure,” said GAO.
The report highlights how CISA must address “measuring customer service and performing effective workforce planning” to fully address the issues.
“To address these types of challenges, best practices highlight the importance of (1) measuring customer service and (2) performing effective workforce planning. However, CISA has not fully addressed these practices,” GAO said.
“Until CISA does so, the agency will not be optimally positioned to deliver products and services needed to address OT risks,” the agency said.
The report offers four recommendations, all of which CISA concurred with:
- Measure customer service for its OT products and services,
- Perform effective workforce planning for OT staff;
- Issue guidance to the sector risk management agencies on how to update their plans for coordinating on critical infrastructure issues; and
- Develop a policy on agreements with sector risk management agencies with respect to collaboration.
