The Cybersecurity and Infrastructure Security Agency (CISA) needs to update its milestones and fully implement its plans related to CISA Act of 2018 in order to provide more effective cybersecurity for the United States, the Federal government’s chief watchdog agency said.
According to a Government Accountability Office (GAO) report, CISA has completed two of three phases of its organizational transformation initiative. Those two phases led to a new organizational chart for the agency, consolidation of multiple incident response centers, and consolidation of points of contact for infrastructure security stakeholders. Phase three of this initiative is meant to fully implement CISA’s planned organizational changes.
“While CISA intended to fully implement the transformation by December 2020, it had completed 37 of 94 planned tasks for phase three by mid-February 2021,” wrote GAO. “Among the tasks not yet completed, 42 of them were past their most recent planned completion dates.”
Among those 42 tasks are finalizing “the mission essential functions of CISA’s divisions and issuing a memorandum defining incident management roles and responsibilities across CISA.” GAO says that these tasks are critical to CISA’s transformation initiative and its ability to carry out its cyber protection mission.
“In addition, the agency had not established an updated overall deadline for completing its transformation initiative,” wrote GAO. “Until it establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, CISA will be hindered in meeting the goals of its organizational transformation initiative.”
“This in turn may impair the agency’s ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage,” GAO added.
GAO made 11 recommendations to CISA in the report, all of which were agreed to by the Department of Homeland Security – which houses CISA. Among those recommendations:
- Establish completion dates for phase three tasks that are past their completion dates, with priority given to tasks critical to mission effectiveness;
- Establish an overall deadline for transformation initiative completion;
- Establish plans for developing outcome-oriented performance measures to gauge which of the agency’s efforts meet organizational transformation goals;
- Collect input to ensure organizational changes are aligned with stakeholder needs, accounting for coordination challenges identified in the report;
- Establish processes for monitoring effects of efforts to reduce fragmentation, overlap, and duplication including identifying potential cost savings;
- Establish an approach for measuring organizational transformation outcomes, such as customer satisfaction with organizational changes and include time frames;
- Develop a comprehensive workforce planning strategy;
- “Take steps to align the agency’s employee performance management system with its organizational changes and associated goals;”
- Communicate relevant organizational changes to selected critical infrastructure stakeholders to ensure they know with whom they should be coordinating in CISA’s organization;
- Take steps to determine how critical infrastructure stakeholders should be involved with the development guidance for their sector, with stakeholder input; and
- Assess CISA’s methods of communicating with critical infrastructure stakeholders to ensure that appropriate parties are included in distribution lists or other communication channels.