On 01 March, the Government Accountability Office (GAO) published a new report, “Critical Infrastructure Protection: CISA Should Improve Priority Setting, Stakeholder Involvement, and Threat Information Sharing” (PDF). In the highlights, GAO notes, “CISA offers physical and cybersecurity assessments to critical infrastructure partners, but the agency’s 2020 reorganization resulted in challenges in communicating and coordinating the delivery of some cybersecurity services.” Through its study, GAO identified six recommendations that CISA should take, and DHS concurred. CISA should:
- improve its process for identifying critical infrastructure priorities to better reflect current threats;
- seek input from states that have not provided recent updates on identifying critical infrastructure;
- involve stakeholders in the development of the National Critical Functions framework;
- document goals and strategies for the National Critical Functions framework;
- improve efforts to coordinate cybersecurity services; and
- share regionally specific threat information.
In recent years, CISA has started shifting its focus from seeking to protect a set of critical assets to improving the resilience of critical functions—e.g., supplying water. But, GAO believes it could do more to communicate this shift and that, as noted in the recommendations above, involve stakeholders in the development of the National Critical Functions framework. Among the stakeholders, it is encouraging to see GAO recognize the valuable partnership of the information sharing community. It is often forgotten that Information Sharing and Analysis Centers (ISACs) pre-date DHS, the Department having just turned 19 on 01 March, and the ISAC model having been operational since 1998. The report notes that:
- Officials indicated that CISA’s role as a provider of regionally specific threat information supplemented the efforts of regionally based organizations, such as Fusion Centers and Information Sharing and Analysis Centers, which CISA and other organizations relied on for threat information. CISA officials stated that these organizations were the primary generators of regionally specific threat information and characterized themselves as “information brokers” rather than the source of such information.
- Improving its coordination efforts with regionally based threat information organizations, such as Fusion Centers, Information Sharing and Analysis Centers, Information Sharing and Analysis Organizations, and other organizations could give CISA an opportunity to enhance information sharing with key partners and regional stakeholders, thus potentially reducing vulnerabilities to the nation’s critical infrastructure.
Gate 15 is a strong advocate for the ISAC & ISAO models, having supported a number of ISAC activities since our inception in 2013 and having spun off two separate 501c3 non-profit ISAOs through our incubator program – the Faith-Based Information Sharing and Analysis Organization (FB-ISAO) and Cannabis ISAO. We’re encouraged by GAO’s findings and DHS’s embracing these recommendations.
Additional Background:
- “Perspective – Operational Coordination and Information Sharing: Complimentary Capabilities not Competing Competencies” (16 Feb 2022), an opinion by Gate 15’s Managing Director, Andy Jabbour
- “The Cyber Social Contract; How to Rebuild Trust in a Digital World” (21 Feb 2022, in Foreign Affairs), by Chris Inglis (National Cyber Director & principal adviser to the President on cyber policy and strategy) and Harry Krejsa (a fellow at the Center for a New American Security [CNAS])
- National Council of ISACs
Excerpts:
“Collaboration, and coordination, have to be more inclusive. That was understood in 1998 when President Clinton developed the idea of Information Sharing and Analysis Centers (ISACs). That need was further underscored by the heinous attacks on 9/11… to build on the success of the ISAC model, in 2015 President Obama established the idea of Information Sharing and Analysis Organizations (ISAOs). To achieve our National Preparedness Goal, we need operational coordination to ensure we have “a unified and coordinated operational structure and process that appropriately integrates all critical stakeholders and supports the execution of core capabilities.” Let’s pause and look at that last part, supporting the execution of core capabilities.”
Andy Jabbour
“Existing efforts to place government and industry experts side-by-side—including in sector-specific Information Sharing and Analysis Centers—are a good way to start. The U.S. government has quickly realized that these partnerships can identify and address threats far more effectively than a single organization operating alone.”
Chris Inglis & Harry Krejsa
Understand the Threats.
Assess the Risks.
Take Action.
Understand the threats! Subscribe to our free daily paper and subscribe to our podcasts!
Take action! Our team specializes in intelligence and analysis, preparedness activities to include the development of plans, training, and exercises, and we can help you build the relationships and capabilities you need for effective information sharing operations to support your ability to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk to your organization in our complex, all-hazards environment.
