In a new report, the Government Accountability Office (GAO) is asking the Cybersecurity and Infrastructure Security Agency (CISA) to develop time frames on when it will complete its work in helping sector risk management agencies (SRMAs) to implement their fiscal year (FY) 2021 National Defense Authorization Act (NDAA) responsibilities.
The FY2021 NDAA expanded the responsibilities of SRMAs to include risk assessment and emergency preparedness. It added specific activities for SRMAs to carry out related to sector coordination, incident management, risk management, and information sharing responsibilities.
“For example, the FY21 NDAA requires SRMAs to conduct sector coordination activities, including serving as the day-to-day Federal interface for the prioritization and coordination of sector-specific activities; serving as Federal government coordinating council chair; and participating in cross-sector coordinating councils, as appropriate,” the report says.
CISA is working on guidance to help agencies implement these new responsibilities. However, GAO said that CISA does not have timelines for completing this work. Notably, SRMA officials for all 16 critical infrastructure sectors reported that CISA had not yet provided them guidance.
The government watchdog agency said that setting timelines and milestones is important to track implementation progress, and it can “provide transparency about the progress of reforms.”
“CISA officials said they had not established milestones and timelines to complete CISA’s efforts because the agency has prioritized defining its own role as national coordinator,” the report says.
CISA concurred with the recommendation to establish timelines and milestones, but as of this month, had yet to do so.
Tina Won Sherman, a director in GAO’s Homeland Security and Justice team, spoke of the recent report at a March 23 House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing.
“We attempted to try to get an understanding and spoke with all of the sector risk management agencies to understand exactly what their maturity levels are and the extent to which they’ve been effective in their roles,” Won Sherman told the committee. “But CISA doesn’t have a very good handle on what that looks like, and in fact, we heard that directly also from those agencies themselves.”
“So, part of the recommendation that we made was to be able to establish milestones and timelines to implement some of the efforts they have underway – one of which is being able to better understand and assess maturity and effectiveness of those agencies,” she added.