Artificial Intelligence: DHS Needs to Improve Risk Assessment Guidance for Critical Infrastructure Sectors

Federal agencies with a lead role in protecting the nation's critical infrastructure sectors are referred to as sector risk management agencies. These agencies, in coordination with the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA), were required to develop and submit initial risk assessments for each of the critical infrastructure sectors to DHS by January 2024.
Although the agencies submitted the sector risk assessments to DHS as required, none fully addressed the six activities that establish a foundation for effective risk assessment and mitigation of potential artificial intelligence (AI) risks. For example, while all assessments identified AI use cases, such as monitoring and enhancing digital and physical surveillance, most did not fully identify potential risks, including the likelihood of a risk occurring. None of the assessments fully evaluated the level of risk in that they did not include a measurement that reflected both the magnitude of harm (level of impact) and the probability of an event occurring (likelihood of occurrence). Further, no agencies fully mapped mitigation strategies to risks because the level of risk was not evaluated.
Lead agencies provided several reasons for their mixed progress, including being provided only 90 days to complete their initial assessments. A key contributing factor was that DHS's initial guidance to agencies on preparing the risk assessments did not fully address all the above activities.
Artificial intelligence is complex and evolving. It could be used to improve the systems that operate critical infrastructure, like water and energy. But it could also make them more vulnerable to cyberattacks.
Federal agencies that protect critical infrastructure had to assess AI risks to infrastructure sectors. But the Department of Homeland Security's guidance for assessments didn't have agencies fully measure how much harm an attack could cause or the probability of attacks. This information would help agencies address risks and foster responsible AI use.
DHS and CISA have made various improvements, including issuing new guidance and a revised risk assessment template in August 2024. The template addresses some—but not all—of the gaps that GAO found. Specifically, the new template does not fully address the activities for identifying potential risks including the likelihood of a risk occurring. CISA officials stated that the agency plans to further update its guidance in November 2024 to address the remaining gaps. Doing so expeditiously would enable lead agencies to use the updated guidance for their required January 2025 AI risk assessments.
AI has the potential to introduce improvements and rapidly change many areas. However, deploying AI may make critical infrastructure systems that support the nation's essential functions, such as supplying water, generating electricity, and producing food, more vulnerable. In October 2023, the President issued Executive Order 14110 for the responsible development and use of AI. The order requires lead federal agencies to evaluate and, beginning in 2024, annually report to DHS on AI risks to critical infrastructure sectors.
GAO's report examines the extent to which lead agencies have evaluated potential risks related to the use of AI in critical infrastructure sectors and developed mitigation strategies to address the identified risks. To do so, GAO analyzed federal policies and guidance to identify activities and key factors for developing AI risk assessments. GAO analyzed lead agencies' 16 sector and one subsector risk assessments against these activities and key factors. GAO also interviewed officials to obtain information about the risk assessment process and plans for future templates and guidance.
Recommendations
GAO is recommending that DHS act quickly to update its guidance and template for AI risk assessments to address the remaining gaps identified in this report. DHS agreed with our recommendation and stated it plans to provide agencies with additional guidance that addresses gaps in the report including identifying potential risks and evaluating the level of risk.

CISA and ONCD Release Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure

CISA and the Office of the National Cyber Director (ONCD) published Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure to assist grant-making agencies to incorporate cybersecurity into their grant programs and assist grant-recipients to build cyber resilience into their grant-funded infrastructure projects.
This guide is for federal grant program managers, critical infrastructure owners and operators, and organizations such as state, local, tribal, and territorial governments who subaward grant program funds, and grant program recipients. The guide includes:
- Recommended actions to incorporate cybersecurity into grant programs throughout the grant management lifecycle.
- Model language for grant program managers and sub-awarding organizations to incorporate into Notices of Funding Opportunity (NOFOs) and Terms & Conditions.
- Templates for recipients to leverage when developing a Cyber Risk Assessment and Project Cybersecurity Plan.
- Comprehensive list of cybersecurity resources available to support grant recipient project execution.
CISA encourages organizations to review and apply recommended actions to secure the nation’s critical infrastructure and enhance resilience.

CISA Launches FY2025-2026 International Strategic Plan

The Cybersecurity & Infrastructure Security Agency (CISA) published their 2025-2026 International Strategic Plan with a commitment to reducing risk to the globally interconnected and interdependent cyber and physical infrastructure.
In today’s interdependent and interconnected world, the protection and security of our cyber and physical infrastructure requires the concerted efforts of public and private partners around the globe. The Cybersecurity and Infrastructure Security Agency (CISA) is a globally recognized leader in shaping and implementing proactive approaches to reduce risk and increase the resilience of critical infrastructure on which the United States (U.S.) and its partners depend.
To effectively marshal its resources and guide operations, CISA issued the 2023-2025 CISA Strategic Plan, the agency’s first comprehensive strategic plan since CISA’s establishment in 2018. In recognition of the reality that today’s threats do not respect borders, CISA developed this CISA International Strategic Plan as a complementary guide for CISA’s international activities and outcomes.
This CISA International Strategic Plan acknowledges that the risks we face are complex and geographically dispersed, and that we cannot achieve our objectives in a vacuum. It is imperative that we expand visibility into internationally shared systemic risks. The maturity and security practices of global owners and operators of both cyber and physical infrastructure, technology, supply chains, and systems vary widely. Sharing timely, relevant, and accurate threat information and risk reduction advice with international partners provides the foundation for a more secure cyber-physical environment for all of us.
The CISA International Strategic Plan goals are to:
1. Bolster the Resilience of Foreign Infrastructure on Which the U.S. Depends.
2. Strengthen Integrated Cyber Defense.
3. Unify Agency Coordination of International Activities.
Through the goals and objectives outlined in this CISA International Strategic Plan – in coordination with the Department of Homeland Security (DHS), the Department of State, and partners across the interagency, and in accordance with U.S. national security, economic, and foreign policy priorities – CISA will assess and prioritize critical infrastructure dependencies and partner with foreign entities to advance CISA’s homeland security mission.
Strategic Intent
The CISA International Strategic Plan will focus and guide the agency’s international efforts over the 2025–2026 period. It highlights the agency’s commitment to reducing risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day. Our aim is to shape the international environment to reduce risk to critical dependencies and set conditions for success in cooperation, competition, and conflict. The CISA International Strategic Plan lays out three goals CISA must achieve to address the ever-changing and dynamic challenges facing America and our international partners. The first two goals focus on “what” the agency will work on in the international environment to achieve our “why” – 1) to reduce risk to and build resilience of foreign assets, systems, and networks that impact U.S. critical infrastructure, 2) understand shared global threats to critical infrastructure, and 3) support collective defense. The third goal focuses internally to promote unified action, working as One CISA to conduct international activities.
Strategic Approach
The approach laid out in this CISA International Strategic Plan aligns with guidance set forth in the National Security Strategy, National Cybersecurity Strategy, U.S. International Cyberspace and Digital Policy Strategy, CISA Strategic Plan 2023–2025, CISA Stakeholder Engagement Strategic Plan FY2023-2025, and CISA Cybersecurity Strategic Plan 2024–2026, as well as the identified priorities of the Secretary of Homeland Security. The CISA International Strategic Plan and the U.S. International Cyberspace and Digital Policy Strategy firmly align to bolster and broaden international alliances to mature cyber defense efforts, both domestically and internationally. This involves fostering collaborative relationships with global partners; sharing expertise, technical resources, and best practices; and collectively fortifying cyber resilience to address emerging threats in an interconnected world. Our strategic approach will not only advance the resilience of critical infrastructure dependencies at home and abroad, but it will also ensure a long-term commitment in strengthening international partnerships that are essential for CISA’s mission success. As part of coordinated U.S. government efforts, CISA will proactively engage and support international partners to assess, influence, and assist with reducing risk and strengthen the security and resilience of foreign assets, systems, and networks on which our nation’s critical infrastructure depends. As threats evolve across the spectrum of competition with state and non-state actors, no single organization or entity has all the answers for how to address cyber and physical threats to critical infrastructure. Therefore, CISA will prioritize operational collaboration and international activities to achieve mutual interests and goals with our partners. This plan centralizes CISA’s focus and coordination on goals and objectives that increase homeland and national security. More importantly, it positions CISA to support the internal coordination of international activities through the execution of annual planning cycles. This CISA International Strategic Plan seeks to streamline or eliminate overlapping and redundant systems to synchronize complex international issues that cut across our agency.
Overall, our aim is to build, strengthen, and sustain international relationships to:
1. Advance homeland and national security objectives.
2. Prevent incidents and increase resilience of physical and cyber critical infrastructure at home and abroad.
3. Increase awareness to detect, deter, and disrupt emerging threats and hazards.
4. Manage and reduce systemic risks.
5. Increase understanding of international critical infrastructure interdependencies and anticipate cascading impacts.
6. Influence international policy, standards, and best practices.
7. Assist key partners to address their capability shortfalls.
8. Expand bilateral/multilateral exchanges of expertise, in tandem with increased federal inter- and intra-agency coordination, to improve risk management and incident response capacity.
9. Mature and strengthen CISA’s international partnerships, arrangements, and policies.
Goal 1: Bolster the Resilience of Foreign Infrastructure on Which the U.S. Depends
Interconnected Critical Infrastructure Graphic
Recognizing that much of U.S. critical infrastructure interconnects and/or is interdependent with foreign assets, systems, or networks, CISA will work closely with domestic and international partners to bolster the security and resilience of the international critical infrastructure on which the U.S. depends. These interconnections and interdependencies span the full range of critical infrastructure sectors: pipelines, telecommunications, and essential supply chains, among others. Malicious cyber actors continue to exploit vulnerabilities across these sectors to target critical infrastructure through ransomware and other cyberattacks. The threat from global terrorism remains a persistent concern and a significant threat to U.S. and international facilities. Thus, it is essential for CISA to work with partners to assess and reduce risk from foreign critical dependencies impacting U.S. critical infrastructure resilience. In doing so, CISA must strengthen exchanges with international partners that promote our priorities abroad as well as influence standards, regulations, and policies to advance homeland and national security objectives. A collaborative approach to understanding interconnected critical infrastructure systems will set conditions for the U.S. and our international partners to proactively develop strategies, policies, and programs that integrate risk reduction efforts and reflect mutual and multi-stakeholder security interests at home and abroad.
1.1. Identify and prioritize foreign critical infrastructure on which the nation depends and bolster its security and resilience.
The U.S. depends on foreign-owned systems that support our critical infrastructure sectors such as communications, transportation, information technology, energy, financial services, and critical manufacturing. CISA will work with interagency and international partners to identify and understand which international systems and assets are truly critical to the nation’s critical infrastructure and assess how they are vulnerable to create strategies to manage shared risks. CISA will also work with interagency and international partners to promote a shared understanding of global threats to critical infrastructure security and resilience, such as cyberattacks, chemical and improvised explosive devices, threats to supply chain interdependencies, foreign malign investments, and climate change. Managing risk and bolstering resilience will require long-term, strategic collaboration between public and private sectors at home and abroad.
Enabling Measure: In coordination with the Department of State and relevant U.S. government partners, we will broaden our understanding of systemic risk by expanding our visibility into infrastructure and supply chain vulnerabilities for priority foreign critical infrastructure upon which the U.S. depends.
Measure of Effectiveness:
1. Increase the number of U.S. government activities coordinated by CISA to advance the security and resilience of prioritized foreign critical infrastructure and supply chains.
2. Increase the number of global partner actions taken to address risks to prioritized foreign critical infrastructure.
3. Increase the number of domestic partner actions taken to mitigate potential disruptions of U.S. critical infrastructure operations resulting from dependencies with foreign assets, systems, and supply chains.
1.2. Strengthen international partnerships that promote U.S. critical infrastructure priorities and interests abroad.
CISA seeks to expand visibility into internationally shared threats and systemic risks. To improve situational awareness for both CISA and our international stakeholders, we must mature multidirectional communications with external partners, including timely incident reporting and the systematic sharing of threat and vulnerability information. Strengthening includes accelerating the speed, improving the accuracy, and enabling the effectiveness of critical information sharing, while using CISA as a hub for multi-stakeholder initiatives. We will use CISA’s cross-functional expertise to foster communication and information sharing with global partners at scale, which will advance the resiliency of our critical infrastructure against shared challenges and preserve our ability to communicate in the event of an emergency. This will create a foundation for advancing international efforts that mature our collective ability to plan for, detect, deter, and disrupt emerging threats and hazards to cyber and physical infrastructure and interoperable emergency communications. Deepening the understanding of shared and systemic risk with our partners will strengthen the protection and resilience of critical infrastructure on which the nation relies.
Enabling Measure: We will expand our ability to execute joint operational activities, capacity development efforts, and shared policy frameworks that advance U.S. priorities for defending cyberspace and protecting U.S. critical infrastructure.
Measure of Effectiveness:
1. Increase the number of joint operational activities conducted with global partners to build public and private capacity to deter, prevent, protect, and respond to incidents to critical infrastructure.
2. Increase information sharing exchanges with global partners to promote U.S. security and resilience priorities and to enhance CISA’s programs, services, and products.
1.3. Shape operational and technical global standards, regulations, policies, guidelines, and best practices to advance security.
CISA will work with interagency partners to support standards activities—in coordination with the DHS Science and Technology Directorate—through standard development organizations that can advance U.S. interests. Within CISA’s authorities, our aim is to promote and support a wide array of portfolios, including but not limited to cyber and physical critical infrastructure, emerging technology, chemical security, emergency communications, school safety, bombing prevention, and more to ensure that systems, infrastructure, government, business, and the public can withstand and recover from deliberate attacks, accidents, and natural hazards. Where appropriate, we will advance and contribute to the development and adoption of operational and technical international standards and regulations to strengthen cybersecurity, fortify critical infrastructure security and resilience, and improve emergency communication. CISA holds a shared approach to international standards, regulations, guidelines, and best practices for critical infrastructure security and critical emerging technologies, to include artificial intelligence (AI). This will help accelerate standards that contribute to interoperability and promote U.S. competitiveness and innovation with our partners.
Enabling Measure:
1. We will advance open, transparent, and rules-based standards processes to ensure that globally relevant standards meet U.S. national security requirements for critical infrastructure.
2. We will work with partners to counter the influence of adversaries attempting to unduly shape standards in a manner which would represent a threat to national security.
Measure of Effectiveness:
1. In coordination with government, industry, and academic partners, increase the development and publication of technical standards for adoption by international standards and policy setting bodies that advance the protection, interoperability, and resilience of U.S. critical infrastructure.
Goal 2: Strengthen Integrated Cyber Defense
Integrated Cyber Defense graphic
Cybersecurity threats extend beyond national borders. Strong international cyber defense partnerships set conditions that reduce risk and minimize the impact of attempts to infiltrate, exploit, disrupt, or destroy critical infrastructure systems that support our national critical functions (NCFs). Engaging international partners allows CISA to build trust, illuminate threats, and facilitate the free flow of cybersecurity defense information. We will work with partners, international organizations, and nongovernmental organizations to influence global cybersecurity practices and standards that promulgate cyber safety and security at scale. Bolstering the capabilities of key partners improves our collective cyber defense abroad against state and non-state actors.
2.1. Enable cyber defense with partners to reduce collective risk.
International partners contribute essential information to support CISA’s cybersecurity mission. A network of trusted partners provides increased visibility into—and ability to mitigate—cybersecurity threats, vulnerabilities, and campaigns. Our aim is to increase and mature our network of trusted partners through our bilateral and multilateral Computer Security Incident Response Team (CSIRT)-CSIRT engagements. Through these engagements, we seek to strengthen CSIRT-CSIRT relationships that enable the exchange of actionable operational information, which includes product sharing, vulnerability alerts, victim notifications, tactics, techniques, and procedures as well as evaluating unique international inputs to reduce risk. This effort will facilitate a collective response and provide a vehicle for partners to share information that builds trust and global cyber situational awareness—especially for those foreign systems, networks, and assets truly vital to the nation’s critical infrastructure. We will strive to set an example as the premier CSIRT organization and work with international partners to understand how incidents occur, how to prevent them, and to provide technical resources that alleviate critical operational gaps. Beyond immediate threat information, these operational partnerships help inform international exercises that will enable us to better understand risks and provide additional ways and means to better manage threats and risk abroad.
Enabling Measure: We will increase trust and strengthen operational collaboration through bilateral and multilateral engagements with international partners by expanding participation in CSIRT-CSIRT engagements.
Measure of Effectiveness:
1. Increase the number of trusted international CSIRT partners.
2. Increase the percent of bilateral and multilateral CSIRT engagements that reduce combined risk.
3. Increase the number of CSIRT partners that apply recommended risk mitigations prior to exploitation.
2.2. Drive standards and security at scale to increase cyber safety.
For decades, the U.S. has worked through international institutions to define and advance responsible state behavior in cyberspace, steering partners toward developing secure technology from inception. As part of the broader national effort, CISA will encourage international partners to define, adopt, and implement global cybersecurity standards, norms, and best practices that promote U.S. cybersecurity interests. The agency will also provide guidance, advice, and expertise to help define and implement safe global standards, norms, and best practices that support U.S. domestic cybersecurity interests. Our aim is to set the bar high for global standards and prioritize them to reflect CISA interests and implement them as a critical element to protect citizens. As some of the most visible examples, CISA’s international focus is to encourage the widespread adoption of Secure by Design practices, including adoption of software bills of materials, secure AI systems, open-source security, and coordinated vulnerability disclosures.
Enabling Measure: In collaboration with international public and private sector partners, we will advance a global commitment to safe and secure software development and deployment.
Measure of Effectiveness:
1. Increase in international standards that recommend frameworks for secure software development at the onset of the software development lifecycle.
2. Increase the number of partner states, international organizations, and industries that adopt and implement the principles of Secure by Design.
2.3. Increase cyber and physical resilience capabilities of key partners.
The breadth and depth of the international cybersecurity challenge exceeds the capacity of any one organization. It is paramount that key partners possess the fundamental capabilities to safeguard and defend their connected critical infrastructure that impact our NCFs. Our aim is to establish an environment where our partners can organically detect threats, assess potential impacts, and receive and exchange real-time risk reduction actions that increase collective security and resilience and support the rapid establishment of consistent, secure, and effective interoperable emergency communications. CISA possesses capabilities that can uniquely contribute to homeland and national security objectives—especially as part of larger U.S. government efforts to improve the cybersecurity capabilities of priority international partners. As the U.S. strengthens relationships with key partners, CISA can provide training, exercises, and information sharing capabilities. These activities can assist international partners in developing and growing organic risk reduction capabilities, while setting supporting priorities for the investment and divestment of limited resources to fill collective capability shortfalls.
Enabling Measure: In collaboration with the Department of State, we will advance shared cybersecurity priorities and strengthen international partner capacity to support these priorities through the focused delivery of CISA services that proactively and collaboratively bolster our international cybersecurity and resilience.
Measure of Effectiveness:
1. Increase the number of CISA services delivered to international partners that address identified security and resilience gaps.
2. Increase in the percent of program participants equipped with required competencies in cyber or physical security and resilience.
3. Expand the network of foreign train-the-trainer partners capable and approved to provide CISA-based training within their regions.
4. Increase the percent of partners reporting strengthened capabilities to manage their own risk.
Goal 3: Unify Agency Coordination of International Activities
Connecting lines
An effective international plan depends on unity of effort across the agency’s divisions and mission enabling offices (offices). Accomplishing unity of effort will require that CISA internally prioritizes, coordinates, deconflicts, and aligns international activities through improved organization and governance, integrated functions, and a well-trained workforce.
3.1. Strengthen and institutionalize CISA’s governance of international activities.
The CISA Stakeholder Engagement Division (SED) will establish a governance structure to advise on international matters and provide a clear articulation of the agency’s international priorities. Taking into account inputs from divisions and offices, these priorities will provide clear guidance that is consistent with CISA’s authorities and domestic requirements as well as broader DHS and national security policies.
Enabling Measure: We will establish internal agency processes and procedures for governing the agency’s international activities using the One CISA approach.
Measure of Effectiveness:
1. Increase the number of governance documents and processes that improve standardization and transparency of agency international activities.
3.2. Align and synchronize CISA’s international functions, capabilities, and resources.
CISA will support systematic information sharing across the agency through policy coordination and the collection and dissemination of international lessons learned to effectively realize the full range of specialized expertise and capabilities across the agency. SED will coordinate CISA’s international communications and activities across CISA to provide the agency with situational awareness of current and projected international activities. This coordination will address gaps and eliminate duplication of effort while ensuring timely execution of operational priorities and alignment of CISA’s international activities with this strategic plan and national security priorities.
Enabling Measure: We will optimize internal business operations to ensure the coordinated delivery of products and services to international partners that effectively advance cyberspace defense and U.S. critical infrastructure security and resilience.
Measure of Effectiveness:
1. Increase the percent of cross-cutting activities coordinated through CISA International Affairs.
2. Increase in internal products and services that improve widespread awareness of key international cybersecurity and critical infrastructure security and resilience issues.
3.3. Equip CISA’s workforce through training and education to promote CISA’s capabilities on the global stage.
With an inherent domestic focus, we recognize that there are skills CISA needs to provide the workforce to influence the international system. CISA will develop and provide training opportunities for employees who will deploy overseas as well as those engaged in deliberate international activities. SED will aim to facilitate DHS and State Department pre-deployment training for Attachés, Liaison Officers, and Technical Advisors deploying overseas, including a CISA familiarization program to ensure a baseline understanding of CISA’s organization, role, responsibilities, authorities, and strategic objectives. SED will provide international affairs etiquette guidance to all travelers as part of the travel preparation process. For CISA leadership and travelers conducting potentially sensitive engagements, SED will provide a tailored pre-departure briefing encompassing cultural norms and U.S. foreign policy goals with recommended talking points.
Enabling Measure: CISA, through its workforce, is prepared to actively and effectively engage in international efforts to advance cyberspace defense, safe and secure technology development and deployment, and critical infrastructure security and resilience.
Measure of Effectiveness:
1. Increase the percent of CISA personnel trained and provided with resources to deliver international services.
2. Increase in the percent of CISA personnel who report that specialized training improved their capability to represent the agency effectively while performing international activities.
Conclusion
Robust and trusted international partnerships serve as a force multiplier across the spectrum of global competition. Successful partnerships require commitment, dedication, and time to build trust. In coordination with DHS and the State Department, CISA will develop, strengthen, and sustain these relationships. This CISA International Strategic Plan provides a framework to build and maintain an agency posture with international partners to enable the U.S. to compete with and prevail against current and future threats. Importantly, this plan addresses multiple challenges under different conditions and creates the framework to prioritize agency efforts.
These goals position CISA strategically with a posture that reinforces critical partnerships abroad to overcome complex and interconnected challenges. The strategic approach aligns CISA with the broader U.S. government as well as our international partners to enable access, develop capacity, and ensure the flexibility to support national efforts to compete globally against state and non-state actors.
This CISA International Strategic Plan creates opportunities for shared success and is a process, not simply a publication; therefore, CISA will review progress quarterly. Unpredictability in the international security environment, or obstacles to our progress, may drive us to change course. We will remain agile and shift our focus to ensure we are integrating the right people, processes, technology, and partners at the right time, place, and space for mission success. Just as our threats and adversaries adapt to and shape the cyber and physical security environment, CISA will continue to evolve to fulfill the vision of a secure and resilient infrastructure for the American people—this CISA International Strategic Plan establishes a proactive path to achieve that vision.

Future of Cybersecurity: Leadership Needed to Fully Define Quantum Threat Mitigation Strategy

Cryptography is a set of mathematical processes that can "lock," "unlock," or authenticate information. Agencies, banks, utilities, and others rely on cryptography—e.g., data encryption algorithms—to secure systems and data.
Experts predict that a quantum computer capable of breaking such cryptography may exist within 10-20 years.
Various federal entities have developed documents that inform a national strategy for addressing this threat. But the strategy lacks details and nobody's in charge of implementing it. We recommended the National Cyber Director coordinate the national strategy and use our guidelines for effective national strategies.
GAO was asked to examine the federal government’s strategy to address the threat that quantum computers pose to our nation’s cryptography. This report provides information on, among other things, how cryptographic methods protect systems and data, the threat quantum computers pose, and the extent to which the U.S. national quantum computing cybersecurity strategy addresses the desirable characteristics of a national strategy.
Federal agencies and the nation's critical infrastructure—such as energy, transportation systems, communications, and financial services—rely on cryptography (e.g., encryption) to protect sensitive data and systems. However, some experts predict that a quantum computer capable of breaking certain cryptography—referred to as a cryptographically relevant quantum computer (CRQC)—may be developed in the next 10 to 20 years, putting agency and critical infrastructure systems at risk. Quantum computers leverage the properties of a qubit (the quantum equivalent of classical computer bits) to solve selected problems significantly faster than classical computers.
To address this threat, various documents developed over the past eight years have contributed to an emerging U.S. national strategy. Based on its review of these documents, GAO identified three central goals.
The strategy partially addresses the desirable characteristics of a national strategy identified in prior GAO work. For example:
- Problem definition and risk assessment. Several documents defined the problem as the threat of a CRQC to cryptography, but did not fully define a CRQC. In addition, although the executive branch conducted a comprehensive risk assessment on systems with vulnerable cryptography supporting critical infrastructure, it has not conducted such an assessment for systems used by federal agencies.
- Purpose, scope, and methodology. Several documents identified purpose and scope. With regard to methodology, three post-quantum cryptography standards documents provided information on how they were developed. However, the remaining documents did not describe the methodology or process used to develop them for the other two goals.
- Objectives, activities, milestones, and performance measures. The strategy documents identified objectives and activities for the first two goals but did not do so for the third. In addition, the strategy documents did not fully identify milestones for the second and third goals and did not identify performance measures for any of the three goals.
These desirable characteristics have not been fully addressed, in part, because no single federal organization is responsible for coordinating the strategy. In January 2021, Congress established an organization that is well-positioned to lead these efforts: the Office of the National Cyber Director. If the office embraces this role and ensures that the strategy fully addresses the desirable characteristics, the nation will have a better-defined roadmap for allocating resources and holding participants accountable.

Weather Ready Pacific charts the way on Early Warnings for All

Weather Ready Pacific - a major ten-year programme – aims at reducing the human and economic cost of severe weather events, protecting Pacific Island communities and livelihoods on the frontline of climate change.

WMO Deputy Secretary-General Ko Barrett stressed WMO’s commitment to the initiative in a high-level event at COO29 on “Early Warnings For All in the Pacific: Starting our journey to navigate through the challenges of a climate change world.”

Ministers and their representatives from Tonga, Fiji and Samoa highlighted the importance of the programme in building resilience to hazards such as tropical cyclones and coastal inundation in an era of rising sea levels and more extreme events.

Tiofilusi Tiuete, Minister for Finance and National Planning of Tonga, said there were already tangible improvements in forecasts thanks to a new weather radar which will increase the accuracy of advance warnings of high-impact events.

The Weather Ready Pacific Program was developed with the support of the Secretariat of the Pacific Regional Environment Programme (SPREP), WMO and the Government of Australia through the Australian Bureau of Meteorology (BOM). It is administered by SPREP and has a target to raise US $ 191 million over 10 years to strengthen the capacity of National Meteorological and Hydrological Services in the Pacific.

“We are committed to supporting sustainable capacity enhancement efforts wherever they occur and we stand ready to support with technical tools and guidance. National Meteorological and Hydrological Services are at the centre of all these efforts,” Ko Barrett told the high-level event.

“We are happy to leverage funding through the Systematic Observations Financing Facility (SOFF) and the Climate Risk and Early Warning Systems Initiative (CREWS) and other investment instruments to support the aims of the Weather Ready Pacific Programme and more generally of the Early Warnings for All initiative.”

Climate change ambassadors from Australia and New Zealand, two of the main financial backers, stressed how the programme is intended to foster long-term investment in sustainability. The aim is to bring different funding initiatives from a variety of partners under one roof and within a 10-year time frame, thus easing the administrative burden on Small Island Developing States.

“We have had so many projects that stop and start, stop and start. We spent more time writing reports than we do forecasting the weather,” said ‘Ofa Fa’ Anunu, the coordinator of the Weather Ready Pacific Programme. He was formerly the head of Tonga’s NMHS and president of WMO’s Regional Association for Asia-Pacific.

Systematic Observation Financing Facility (SOFF)
The Pacific represents 15 % of the world surface, but it has only six upper air stations which are compliant with the Global Basic Observing Network. This is a major gap that needs to be filled, given that a chain is only as strong as its weakest link.

SOFF seeks to fill this gap through long-term, grant based investments in infrastructure and enhancing the capacity of National Meteorological and Hydrological Services (NMHS).

Within the Pacific, Kiribati and the Solomon Islands have been approved for an amount of USD 20 million. Nauru and Samoa have been provisionally approved for an amount of USD 12 million.

Climate Risk and Early Warning Systems Initiative
Climate Risk and Early Warning Systems initiative seeks to bridge the early warnings capacity gap. Ko Barrett said CREWS is a textbook example of people-centred, community-based projects that are making a tangible difference to people’s lives.

WRP and CREWS share common programming frame and principles of country/regional driven programmes, people-centered approaches, and gender-responsiveness, said Gerard Howe, Head of Energy, Climate and Environment Directorate, UK Foreign, Commonwealth and Development Office (FCDO) and Chair of CREWS.

“CREWS is committed to support Weather Ready Pacific as a vehicle for more effective programming and financing,” he said.

Pacific Island countries benefited from one of the very first CREWS financing decisions in 2017. The CREWS Steering Committee recently initiated the consultations for a third phase of this regional project bringing the total contribution to the region to USD 25 million.

In Papua New Guinea, with the support of the Australian meteorological services, a new drought early warning system was established. In PNG, nearly eight in ten people rely on subsistence farming. Food insecurity is mostly due to crop failures from drought and frost.

Support to develop similar drought advisories has been received from 5 additional Island States and an additional US$ 5 million committed to support these.

Two countries (Tonga and Vanuatu) have accessed financing through the CREWS Accelerated Support Window a fast-track provider of technical assistance. This has led to the development of a smart weather app.

TSA announces proposed rule that would require the establishment of pipeline and railroad cyber risk management programs

The Transportation Security Administration (TSA) has published a Notice of Proposed Rulemaking that proposes to mandate cyber risk management and reporting requirements for certain surface transportation owners and operators.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” said TSA Administrator David Pekoske. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
This rule proposes to continue TSA’s commitment to performance-based requirements. Building on the performance-based cybersecurity requirements TSA previously issued via annual Security Directives since 2021, the proposed rule leverages the cybersecurity framework developed by the National Institute of Standards and Technology and the cross-sector cybersecurity performance goals developed by the Cybersecurity and Infrastructure Security Agency (CISA).
Consistent with these requirements and standards, this rule proposes:
- To require that certain pipeline, freight railroad, passenger railroad and rail transit owner/operators with higher cybersecurity risk profiles establish and maintain a comprehensive cyber risk management program;
- To require these owner/operators, and higher-risk bus-only public transportation and over-the-road bus owner/operators, currently required to report significant physical security concerns to TSA to report cybersecurity incidents to CISA; and
- To extend to higher-risk pipeline owner/operators TSA’s current requirements for rail and higher-risk bus operations to designate a physical security coordinator and report significant physical security concerns to TSA.
TSA asserts that maintaining an effective cybersecurity posture is critically important to ensuring that the surface transportation sector is prepared for, and able to manage, cyber risks. The requirements contained in this proposed rule would strengthen cybersecurity resilience across the surface transportation systems sector.

2 WEEKS TO ‘CIP WEEK’ IN EUROPE - 12th-14th November 2024, Madrid, Spain

The International Association of Critical Infrastructure Protection Professionals (IACIPP) is delighted to announced preparations for the inaugural ‘Critical Infrastructure Protection Week’ in Europe are progressing well, as part of an initiative focused towards enhancing collaboration and cooperation amongst the industry.
The recent implementation of The Critical Entities Resilience Directive (CER Directive), which lays down obligations on EU Member States to take specific measures to ensure that essential services and infrastructures, for the maintenance of vital societal functions or economic activities, are provided in an unobstructed manner in the internal market. The passing of the deadline of 17th October 2024 for when Member States should have adopt and publish the measures necessary to comply with this Directive appears to have been met with challenges.
The NIS2 Directive, also known as the Network and Information Security Directive, is also a significant piece of legislation that was also being implemented on 17th October 2024, aimed at improving cyber security and protecting critical infrastructure across the European Union (EU).
It has built on the previous NIS Directive, addressing its shortcomings and expanding its scope to enhance security requirements, reporting obligations, and crisis management capabilities.
Compliance with the CER Directive and NIS2 Directive are crucial for businesses operating in the EU to safeguard their systems, mitigate threats, and ensure resilience. Penalties are enforceable on agencies and operators for non-compliance.
The implementation of these Directives has proven challenging, and in some instances compliance is still some way off.
The first ‘Critical Infrastructure Protection Week’ will take place in Madrid Spain and will see IACIPP host the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Project’ conference as the first two events as part of the initiative.
IACIPP has lined up an excellent Keynote Session for the Opening of the event, including:
- Jose Luis Perez Pajuelo, Director General, National Center for Critical Infrastructure Protection (Ministry of Interior)
- Dr. Enrique Belda Esplugues, Director General, Port of Valencia, Spain
- Juan Diez Gonzalez, Head of Cybersecurity for Strategic Healthcare, Food and Research sectors, Spanish National Cybersecurity Institute (INCIBE)
- John Donlon, Chairman, International Association of CIP Professionals
John Donlon QPM, Chairman of The International Association of Critical Infrastructure Protection Professionals, said, “IACIPP is delighted the CIP Week in Europe initiative is gathering pace, with the important aim of encouraging greater information sharing, collaboration and co-operation within the industry.”
“The CER and NIS2 Directives are two of the most important pieces of legislation to arrive in Europe in recent years, and IACIPP along with other professional bodies concerns over the lack of preparation of some of the operators and agencies in meeting the deadline has been proven, and believe more needs to be done to ensure these minimum standards are met, and indeed exceeded in subsequent years. We are delighted to welcome such an esteemed set of keynote speakers to open the event, providing wisdom and insight into the challenges for the industry.”
“We are delighted the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Europe Project’ conference are the first two events to contribute towards CIP Week, and highlight many of the challenges facing the industry. Madrid is an excellent location for the launch of this program, with the CN-PIC driving Spain’s efforts to meet the Directives’ and be prepared.” Added Mr Donlon.
With just two weeks to go to CIP Week in Europe, IACIPP is inviting the industry to join the discussions in Madrid on 12th-14th November 2024.
Further details and registration can be found at www.cipre-expo.com and www.cip-association.org.

CISA Launches #PROTECT2024 Election Threat Updates Webpage

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new one-stop shop website for election threat updates from CISA and its federal government partners. As foreign actors continue their efforts to influence and interfere with the 2024 elections, CISA is ensuring that information about the election threat environment is readily accessible.
Part of the larger #Protect2024 site launched in January, the page aims to make it easier to find specific threat related products that the American public can use to stay informed and the election community can use to prepare, including:
- Joint Statements from CISA, ODNI and FBI on threats to the 2024 election
- ODNI Election Threat Updates
- FBI and CISA “Just So You Know” Joint PSA Series
Since its initial launch, #Protect2024 has quickly grown and serves as the central point for critical resources, training lists and security services to support more than 8,000 election jurisdictions for the 2024 election cycle.

Plurilock and CrowdStrike Partner to Secure Critical Infrastructure and Organizations

Plurilock Security Inc., a global cybersecurity services and solutions provider, and CrowdStrike are pleased to announce a new partnership to secure critical infrastructure in democratic nations and economies against modern threats. Plurilock will provide sales and support of the AI-native CrowdStrike Falcon® cybersecurity platform to help power Plurilock’s Critical Services business unit.
Through the partnership, Plurilock will collaborate with CrowdStrike to deploy the Falcon platform and related Plurilock Critical Services to key Plurilock customers that are seeking to modernize or optimize their security operations for today’s surging threat environment. Both companies have deep expertise in AI and cybersecurity, with Plurilock having been founded on AI as a cybersecurity research spin-out, and CrowdStrike providing the world’s most advanced AI-native cybersecurity platform.
“Plurilock Critical Services secures enterprise customers that are of key importance to the world’s democracies—and that are increasingly targeted by sophisticated attacks,” said Ian L. Paterson, CEO of Plurilock. “The CrowdStrike Falcon platform enables our Critical Services team to consolidate point products, remove complexity, and deliver comprehensive visibility and real-time protection across the enterprise. This partnership enables us to provide some of the most demanding customers in existence with the solution best able to address the threats they currently face.”
“Collaborating with innovative partners like Plurilock is core to CrowdStrike’s mission of stopping breaches,” said Daniel Bernard, chief business officer, CrowdStrike. “Plurilock customers are targeted by the world’s most sophisticated adversaries, and require the most advanced technology and elite services to safeguard their critical assets. We look forward to leveraging the power of the Falcon platform to achieve our shared objectives and stop advanced threats.”

2nd E.DSO Digital Award

Are you the creator of a pioneering solution or technological innovation that will facilitate the energy transition and leave a significant impact for society?
E.DSO, the Association of Distribution System Operators (DSOs), is launching the ‘2nd E.DSO Digital Award’ in recognition of the most meaningful and relevant digital innovations contributing to the shaping of DSOs roles. This award wants to highlight the importance of digitalisation in the energy sector and to acknowledge those who are leading the way in creating a more efficient, resilient, and consumer-centric energy system.
This opportunity is reserved for start-ups that have developed an innovative, revolutionary and relevant technological tool and digital solution for a future energy system.
Candidates are invited to send a brief description plus a video of their invention and its contribution by 21 October 2024.
The Award will be announced during E.DSO 1st FutureGrid Innovation Summit scheduled in Brussels on 6 February 2025.
1 2 3 52