CIPRNA Announced Preliminary Conference Programme

Critical Infrastructure Protection & Resilience North America, taking place on 12th-14th March 2024 in Lake Charles, Louisiana, and co-hosted by IACIPP and Infragard Louisiana, has announced the Preliminary Conference Program for the 2024 conference and exhibition, and you can download the agenda at www.ciprna-expo.com/PSG.

The Guide provides you the outline program, excellent international expert speakers and schedule of events to help you plan your participation.

You can also register online today and save with the Early Bird delegate rates at www.ciprna-expo.com/register

Confirmed Speakers include:
– Dr David Mussington, Executive Assistant Director for Infrastructure Security, Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA)
- Brian Harrell, VP & Chief Security Officer, AVANGRID
- Michael Hill, Program Specialist, Cybersecurity and Infrastructure Security Agency
- Emilio Salabarria, Senior Program Manager for Cybersecurity, The Florida Center for Cybersecurity: Cyber Florida
- Dr. Srinivas Bhattiprolu, Global Head of Advanced Consulting Services, Nokia
- Ed Landgraf, Chairman, Coastal And Marine Operators
- Kimberly Heyne, ChemLock Program Manager, Cybersecurity and Infrastructure Security Agency (CISA)
- Dan Frazen, CO-CEM, Agriculture Emergency Coordinator (All-Hazards), Colorado Department of Agriculture
- Dr. Joshua Bergerson, Principal Infrastructure Analyst, Argonne National Laboratory
- Chris Essid, Sector Branch Chief, Cybersecurity and Infrastructure Security Agency (CISA)
- Budge Currier, Assistant Director Public Safety Communications, California Office of Emergency Services (Cal OES)
- Terrence Check, Senior Legal Council, CISA
- Rola Hariri, Defense Industrial Base Liaison, Cybersecurity and Infrastructure Security Agency (CISA)
- Lester Millet, President, Infragard Louisiana & Safety Risk Agency Manager, Port of South Louisiana
- Michael Finch, Technology Services Director, Lane County Department of Technology Services
- Richard Tenney, Senior Advisor, Cyber, Cybersecurity and Infrastructure Security Agency (CISA)
- Andrew A Bochman, Senior Grid Strategist-Defender, DOE / Idaho National Lab
- Jim Henderson, CEO, Insider Threat Defense Group

Full speaker list: www.ciprna-expo.com/speakers2024
Download Agenda: www.ciprna-expo.com/PSG
Schedule of Events/Agenda: www.ciprna-expo.com/schedule
List of Exhibitors: www.ciprna-expo.com/exhibition/exhibitors
Registration: www.ciprna-expo.com/register

Join the community in Lake Charles on 12th-14th March 2024 for some more great discussions on securing America's critical infrastructure and assets.

Airports Efforts to Enhance Electrical Resilience

The nation's commercial service airports require continuous, reliable electricity to power airfield operations and airport facilities. FAA and airports are responsible for ensuring the resilience of airports' electrical power systems—including the ability to withstand and recover rapidly from electrical power disruptions.

GAO was asked to review major power outages at airports and steps federal agencies and airports are taking to minimize future disruptions. This report describes (1) the extent to which selected airports reported they had experienced electrical power outages since 2015, (2) actions selected airports have taken to improve the resilience of their electrical power systems, and (3) actions FAA has taken to help airports develop and maintain resilient electrical power systems.

GAO conducted semi-structured interviews with officials from 41 selected airports of varying sizes, representing 72 percent of passenger enplanements. GAO administered a follow-up survey to these 41 airports, focusing on the extent to which they had experienced electrical outages; 30 responded to the survey, representing 53 percent of total enplanements. GAO also reviewed applicable statutes and regulations and analyzed funding data to identify examples of electrical power projects. Further, GAO interviewed FAA officials and airport, academia, state government, and energy stakeholders.

A power outage can significantly disrupt an airport's operations. One 2017 outage at Hartsfield-Jackson Atlanta International Airport led to about 1,200 cancelled flights and cost an airline around $50 million.

Many of the nation's airports are enhancing their ability to withstand and rapidly recover from power disruptions. They're improving their electrical infrastructure, including installing backup generators or solar panels. Some airports are also considering installing microgrids—systems that independently generate, distribute, and store power. The FAA is offering new and expanded grant programs to help fund these projects.

Twenty-four of the 30 commercial service airports that responded to GAO's survey and interviews reported experiencing a total of 321 electrical power outages—i.e., an unplanned loss of power lasting 5 minutes or longer—from 2015 through 2022. Eleven of these airports reported having six or more outages over this 8 year period. Airports reported that these outages affected a range of airport operations and equipment (see table). Not all responding airports were able to provide detailed information about their outages, and some provided estimates about affected activities.

Selected airports reported taking several actions to improve the electrical power resilience of their airports, including (1) conducting electrical infrastructure assessments, (2) undertaking projects to improve electrical infrastructure, and (3) installing equipment to generate additional backup power. For example, 40 of the 41 airports GAO interviewed reported planning or completing an infrastructure project to increase electrical power resilience. Of these, four airports reported installing microgrids. Such microgrid systems are capable of independently generating, distributing, and storing power.

The Federal Aviation Administration (FAA) is administering new and expanded grant programs and issuing guidance to support airports' electrical resilience efforts. For example:

- Airport Improvement Program funding eligibility was expanded to include the Energy Supply, Redundancy, and Microgrids Program projects, which may include certain electrical power resilience projects.

- The new Airport Terminal Program provides funding for airport terminal development projects, including those that may strengthen resilience.

- FAA issued program guidance and conducted airport outreach to help increase airports' awareness of available federal funding for resilience projects.

The CNI / Crowded Places Security Debate

Sarah-Jane Prew, a security consultant from Arup, discusses the unique security challenges presented by sites that are both Critical National Infrastructure (CNI) and Publicly Accessible Locations (PALs) and offers some insight into how the sometimes opposing priorities can be managed.

Protecting Critical National Infrastructure (CNI) sites is a large part of the security profession’s role; preventing hostile intervention while assuring resilience to ensure that the sec-tor can keep the nation’s critical services operational. As the name suggests, CNI is about critical services and infrastructure and therefore security is usually associated with protecting assets and information by keeping unauthorised people out.

However, what if that CNI site is also a Publicly Accessible Location (PAL) and exists for the very function of allowing people in? How do you maintain and protect the criticality of the asset and function while not being able to keep people out? And how do you deal with the fact that the presence of all those people creates a target in itself, and thus an additional type of threat, one that aims to kill and injure crowds of people but in doing so, disrupts the very CNI function you were originally trying to protect?

Two CNI sectors typically fall into this category by definition …. transport and health. An airport and a hospital, for example, exist for the very purpose of ‘allowing people in’ and yet are often defined as CNI due to their resilience and criticality, therefore requiring the levels of security afforded by their status. Increasingly, other sectors are also opening up their facilities electively to the public - many offering public realm areas in their offices where people can enter freely and enjoy a coffee while others combine the occupation of CNI sites with other, less or non-critical, industries.

In these cases there needs to be a successful blend between protecting both the CNI and PALs elements but often the lines between then are confused. Whereas in the protection of CNI the primary focus is on the protection of the asset and function, in a PAL the focus is on protecting crowds of people. This relatively obvious statement, however, often leads to counter-intuitive responses in the implementation of security processes.

Typically this is seen where screening is placed further and further out, away from the core of an asset. In airports, for example, and often in publicly accessible government buildings, it is common to see screening just inside the doorway or even outside. What is this security design aiming to achieve?
The introduction of this additional screening is often implemented post an incident, such as an explosive device detonating in the check-in area of an airport. The instinctive reaction is to try to prevent that from happening again. Screening before entry to the building will minimise the chances of that happening in the same place again. But will it minimise the chances of it happening elsewhere at the same site? No … if anything it offers the attack-er a more convenient solution and a more accessible target …. a queue outside a building, close to a glazed facade or entrance.

So what, in this instance, is the security policy trying to protect? If it is the asset then the policy may be on the correct lines …. but if it is the crowds of people that frequent the site then they are just moving the threat elsewhere and arguably making the new target an easier and more attractive one. Needless-to-say, whether the target is CNI or people, the ultimate result is the same - a loss of function ….. only the number of casualties varies with the addition of loss of life in the latter case.

Experience has taught us, in both the Manchester Arena incident and in the Paris Stade de France attacks that terrorists, even suicide bombers, can be easily deterred from pushing through security lines into the hearts of sites but will instead maximise the easier opportunities outside the perimeter, even if less crowded, to attack.

So why are we still seeing poor security design in so many of these sites? Is it just a lack of thought process or an unclear view of what to protect? Is it that the vulnerabilities are not sufficiently risk assessed so there is a lack of clear focus on where to concentrate re-source? Or is there sometimes a more complex issue that has something to do with conflicting priorities? This can certainly happen sometimes if the sector is in a regulated space.

Aviation, for example, a sector that has been overseen by regulation since its conception, often struggles to have a clear ability to focus on the broad range of threats now facing it because the regulators’ focus still tends to be very narrow - protecting the aircraft and the parts of the airport that are essential to ensuring this protection. Aviation security regulation is complex and often slow to respond to changes in threat profile. This is especially evident in those soft target, landside, publicly accessible parts of the airport which are essentially non-regulated spaces.

Adding to this, there is a dichotomy around regulation and the acceptance of anything beyond its requirements on the part of sites; while regulation enforces a standard of protection, even accepting that it usually plays to the lowest common denominator of those who have to abide by it, it can be doubly challenging, in a regulated space, to gain engagement with and funding for the implementation of concepts that are beyond minimum requirements.

Commerciality is another major factor that affects security decisions more often than is helpful when aiming to protect both CNI and PALs concurrently. Even where public access is inevitable, such as an airport or railway station, the fashion in some parts of the world is to maximise the public access throughout the site, in an effort to increase commercial re-turn.

Large scale airport cities, for example, where people visit for the experience itself - be-cause the site contains shopping malls with dining opportunities, integrated hotels, swimming pools, cinemas and even event spaces, are becoming increasingly popular - at a time when attacks on airports in recent years have been numerous and on crowds of people even more so.

An attack on crowds of people could happen anywhere, of course, but what architects and designers often forget is that if that attack happens within a CNI site, even if it is not targeting the site itself but the people who have congregated there, the incident does not just close down the shopping mall or the cinema where the attack happened …. it shuts down the entire CNI asset that surrounds it. This is especially so in aviation because it is the larger, more significant airports - the ones more likely to be designated CNI - that tend to be the ones following this trend and offering more in the way of public amenities.

While the problem of combining CNI sites with PALs is challenging enough and the development of commercial ventures within CNI sites increases the associated problems, is-sues are compounded further when little thought is given to the security of the design of such developments because these are the exact areas of the site, especially in airports and railway stations, that are not necessarily considered under transport security regulations. This leaves security managers under pressure to develop and implement security regimes whilst enabling revenue-generating commercial activities.

Managing security design within CNI where large crowds of people are present clearly presents significant challenges. When the challenge is multi-faceted, an equally multi-faceted approach needs to be adopted to achieve the best chances of success. This involves taking a risk-based approach while working alongside a number of agencies and understanding the full range of threats and their inter-operabilities so a layered and intelligent process of security can be adopted.

The first step is to assess the risk to the site, from both the perspective of the site being CNI and a Publicly Accessible Location. Assessments need to be made as to the safety and security priorities and what measures need to be implemented to protect which as-sets.

From a design perspective, it is essential that security professionals are involved in any design projects from the start to undertake these risk assessments early enough in the process that the design itself can ‘design out risk’, therefore reducing the number of security features that need to be added to minimise the risk and mitigate the effects of an at-tack. As well as providing the most robust security in the most aesthetically pleasing way, this is also the most cost and time effective way of ensuring good security.
Without early intervention and assessment of the whole site, security can be compromised due to prioritising the protection of one element over another, rather than addressing the site holistically. This will lead to push-back on developing further security due to lack of space, resource or time.

Take the example of positioning security screening further out to protect an inner asset …. This succeeds in reducing the risk to the inner asset but actually increases the risk to the individuals queuing to be screened by making them an easier target. If the two problems are not addressed together, then one will inevitably lose out, as the design of one in isolation is likely to compromise the security of the other.

While embedding security in the design is essential, it can’t achieve everything and it is important to consider operational factors, especially for sites that attract large numbers of people. It is vital that all stakeholders are involved in security developments to ensure that their requirements are met and their operational needs incorporated. It is also essential that the multi-agency approach is adopted, which ensures that all those involved in man-aging security operations are brought together to ensure a fully co-ordinated strategy in terms of protection, detection, response, resilience and, if things do go wrong, recovery and business continuity.

Beyond the physical measures it is important to move the security perimeter out so there is vigilance far beyond the immediate vicinity of what you are aiming to protect, particularly when this is groups of people. For example, it is too late, at a screening point, to develop a suspicion about someone who may be targeting the crowds in that screening queue. By pushing the perimeter of surveillance out beyond this, operators can monitor the demo-graphic and behaviour of those approaching, giving time for an intervention if required.

In a time when pressure is on sites to reduce operational costs, this level of security operation is often met with reluctance but complex security needs require layers of mitigation and this requires both physical and operational measures.

Ultimately, those areas that are not currently governed under regulation, especially when situated within sites that have areas and operations that are under a regulatory frame-work, would merit from having more published guidance. This would ideally show clear areas of responsibility so organisations can assess their risks and priorities holistically, across the whole site, according to the risk presented, rather than a bias of focus and re-source from having regulatory requirements in one place and a lack of them in another.

The above considerations will give some solutions to the challenge of protecting those CNI sites that are also Publicly Accessible Locations (PALs); a question that is going to continue to face the security industry as more CNI sites are allowing the public into their sites.

Download latest Preliminary Conference Programme Guide for CIPRE

As someone responsible in your organisations for critical assets and/or infrastructure, Critical Infrastructure Protection and Resilience Europe is the leading conference that will keep you abreast of the changes in legislation, current threats and latest developments.

Download the Preliminary Conference Programme Guide at www.cipre-expo.com/guide.

What is the new directive on the Resilience of Critical Entities...

The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.

The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.

Are you up to date on this legislation, and do you know what you need to do to be compliant?

Get updated on the NIS2 Directive and what it means to you...

An important discussion will centre around the EU cybersecurity rules introduced in 2016 and updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape.

By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.

What will this mean for you and how can you meet the Directives goals?

Critical Infrastructure Protection and Resilience Europe is Europe's leading discussion that brings together leading stakeholders from industry, operators, agencies and governments to collaborate on securing Europe's critical infrastructures.
The conferences top quality programme looks at these developing themes and help create better understanding of the issues and the threats, to help facilitate the work to develop frameworks, good risk management, strategic planning and implementation.

The packed event themes include:

- Interdependencies and Cascading Effects
- Emerging Threats against CI
- Crisis Management, Coordination & Communication
- Power & Energy Sector Symposium
- Government, Defence & Space Sector Symposium
- Communications Sector Symposium
- Information Technology (CIIP) Sector Symposium
- Transport Sector Symposium
- CBRNE Sector Symposium
- Technologies to Detect and Protect
- Risk Mitigation and Management
- The Insider Threat
- Business Continuity Management
- EU Horizon Projects Overviews

You are invited to be a part of this program, where you can meet, network and learn from the experiences of over 40 expert international speakers, as well as industry colleagues who share the same challenges and goals.

Please join us and the CI industry in the beautiful city of Prague, on 3rd-5th October, for a great programme of discussions that can help you to deliver enhanced security and resilience for your organisation.

Visit www.cipre-expo.com for further details

 

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Please find here your downloadable copy of the Summer 2023 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- The CNI / Crowded Places Security Debate
- Beyond Physical Protection
- Hybrid Threats
– A Comprehensive Resilience Ecosystem
- Artificial Intelligence and Cybersecurity Research
- Resilience in action
- An Interview with EU-CIP Project
- IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs
- Using the EU Space Programme for disaster risk management in Hungary
- An Interview with TIEMS
- Critical Infrastructure Protection and Resilience Europe Preview
- Agency and Industry News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #cipre #resilience #cooperation #emergencymanagement #emergencyresponse #crisismanagement #businesscontinuity #crisisresponse #mitigation

Reimagining Gunshot Detection for Enhanced Community Safety

New portable system employs two methods of detection for increased accuracy and reduced false positives.

New and improved gunshot detection technology will soon make American communities of all sizes safer. The Science and Technology Directorate (S&T) and its industry partner Shooter Detection Systems (SDS) developed SDS Outdoor, a gunshot detection system that builds on existing SDS technology to deliver new capabilities that significantly improve the response and management of outdoor shootings.

Among these new capabilities are portability and ease of system set up at any location, two-source detection—sound and flash—to confirm a gunshot, real-time alerts that provide near-instant situational awareness to law enforcement and emergency medical responders, and enhanced data recording that aids apprehension and conviction of alleged shooters.

Portability allows the system to be set up practically anywhere, including near outdoor events, and a single person can install it. Additionally, the enhanced system tells law enforcement when and where a gunshot originates, cutting response times dramatically and providing police officers actionable information—for example, data that helps them to determine if there is a single shooter or multiple shooters. Agencies can then use that information to coordinate resource response and counter an active threat.

“It takes about two to three minutes for an individual to call 911 after a gunshot. Gunshot detection technology cuts that time in half and sends a notification to local law enforcement. Police could then dispatch a unit quicker to either stop the incident that's occurring or to assist in preventing any lives being taken,” said Wilhelm Thomas, officer with the New York Police Department’s (NYPD) Counterterrorism Division. “If we're there first, we can lock down the scene. This will provide security for the emergency medical services (EMS) and thus help prevent the loss of more lives.”

Although gunshot detection technology is currently in use, it can only be installed at fixed locations. For outdoor public events, portable gunshot detection technology can add another layer of security to already installed security systems like cameras.

“This system does not prevent gunshots. It detects an ongoing shooting to help first responders get there faster,” said Anthony Caracciolo, S&T program manager for First Responder Technology. “The more details officers have about an incident, the quicker they can identify and eliminate the threat, and EMS can tend injured victims safely.”

More than two years ago, S&T’s First Responder Resource Group set out to extend gunshot detection capabilities to locations that do not support fixed deployments, such as open areas where large crowds may gather temporarily. Since then, the project has progressed into prototype design, gathering opinions from first responders, and, most recently, a November 2022 Operational Field Assessment (OFA) led by S&T’s National Urban Security Technology Laboratory (NUSTL).

“We started this project because most existing gunshot detection technologies come with limitations, and they may also trigger false alarms,” said Caracciolo. “An outdoor mobile detector that can be easily deployed in the field for a concert or other outdoor event is needed.”
Detecting gunshots almost instantly

SDS Outdoor has several interesting added features. For starters, one to two people can transport and install the system. Also, the tech delivers critical intelligence about an outdoor shooting incident almost instantaneously to first responders. Moreover, it dramatically reduces false-positive alerts.

“Unlike other detection systems, which mostly rely just on acoustics, our indoor gunshot detection system pairs two types of sensors—for the firearm’s infrared flash and acoustic bang—to get the false-alert rate way down,” said Richard Onofrio, SDS’ managing director. “We've applied that same concept to this development where we've increased the coverage area considerably.”

Prior to an outdoor event, officers can map out placement locations, install the system in minutes, and select the response agencies whom SDS Outdoor will alert if a shooting occurs.

As a plus, the gunshot detection tech’s alerting software integrates with the existing platforms used by first responders, including security cameras and dispatch systems. If internet is unavailable at an event site—no problem! The tech can communicate with the software application directly in more of a ‘local only’ mode.

The One Sea Association and ESA partner to support the uptake of autonomous shipping in the maritime sector

The One Sea Association and the European Space Agency (ESA) have signed a Memorandum of Intent (MoI) to support the uptake of autonomous shipping in the maritime sector, underpinned by space solutions.

One Sea and ESA have decided to establish a strategic collaboration to promote the development of new space-enabled services which will support the maritime sector’s transition towards autonomous shipping. Autonomous shipping offers new opportunities to deploy safe, commercially viable, and environmentally sustainable maritime operations.

Satellite communications and satellite navigation play a key role in the adoption of autonomous shipping technologies and operations. During offshore passages, ships are often further from land than satellites which can offer invaluable secure and resilient communication channels for monitoring, command, and control of autonomous ships. Furthermore, in ports and congested areas, high precision Position Navigation and Timing (PNT) provided by satellites is also critical for the safe operation of autonomous shipping.

This new partnership will combine One Sea’s unique expertise in the maritime sector and in autonomous shipping with ESA’s technical competence and mandate through the Business Applications and Space Solutions programme to support the development and demonstration of space solutions in addressing user needs.

 

CISA Urges Organizations to Incorporate the FCC Covered List Into Risk Management Plans

The Federal Communications Commission (FCC) maintains a Covered List of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons to national security pursuant to the Secure and Trusted Communications Networks Act of 2019.

As the 6th annual National Supply Chain Integrity Month concludes, CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation’s most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts, in addition to adopting recommendations listed in Defending Against Software Supply Chain Attacks—a joint CISA and NIST resource that provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework to identify, assess, and mitigate risks. All critical infrastructure organizations are also urged to enroll in CISA’s free Vulnerability Scanning service for assistance in identifying vulnerable or otherwise high-risk devices such as those on FCC’s Covered List.

To learn more about CISA’s supply chain efforts and to view resources, visit CISA.gov/supply-chain-integrity-month.

NATO and European Union launch task force on resilience of critical infrastructure

Senior officials from NATO and the European Union met to launch a new NATO-EU Task Force on Resilience of Critical Infrastructure. Cooperation to strengthen critical infrastructure has become even more important in light of the sabotage against the Nord Stream pipelines, and Russia’s weaponisation of energy as part of its war of aggression against Ukraine.

First announced by NATO Secretary General Jens Stoltenberg and European Commission President Ursula von der Leyen in January, the initiative brings together officials from both organisations to share best practices, share situational awareness, and develop principles to improve resilience. The Task Force will begin by focusing on four sectors: energy, transport, digital infrastructure, and space.

Announcing the initiative in January, Mr Stoltenberg said: "We want to look together at how to make our critical infrastructure, technology and supply chains more resilient to potential threats, and to take action to mitigate potential vulnerabilities. This will be an important step in making our societies stronger and safer."

NATO-EU cooperation has reached unprecedented levels in recent years, and particularly since the start of Russia’s war of aggression against Ukraine. In January, NATO and EU leaders signed a new joint declaration to take partnership between the organisations to a new level, including on emerging and disruptive technologies, space, and the security impact of climate change.

GAO Wants Time Frames to Complete DHS Efforts on Critical Infrastructure Security

Protecting critical infrastructure—like water supplies, electricity grids, and food production—is a national priority. Events like natural disasters or cyberattacks can disrupt services that Americans need for daily life.

Many federal agencies are tasked with protecting the nation's critical infrastructure and look to the Cybersecurity and Infrastructure Security Agency for leadership on how to do it.

A 2021 law expanded these agencies' responsibilities and added some new ones. CISA is working on guidance and more to help agencies implement these responsibilities. We recommended that CISA set timelines for completing this work.

GAO found that the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 expanded and added responsibilities for sector risk management agencies. These agencies engage with their public and private sector partners to promote security and resilience within their designated critical infrastructure sectors. Some officials from these agencies described new activities to address the responsibilities set forth in the act, and many reported having already conducted related activities. For example, the act added risk assessment and emergency preparedness as responsibilities not previously included in a key directive for sector risk management agencies. New activities officials described to address these responsibilities included developing a risk analysis capability and updating emergency preparedness products.

The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has identified and undertaken efforts to help sector risk management agencies implement their statutory responsibilities. For example, CISA officials stated they are updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector-specific guidance documents. CISA officials also described efforts underway to improve coordination with sector partners, such as reconvening a leadership council. Sector risk management agency officials for a majority of critical infrastructure sectors reported that additional guidance and improved coordination from CISA would help them implement their statutory responsibilities. However, CISA has not developed milestones and timelines to complete its efforts. Establishing milestones and timelines would help ensure CISA does so in a timely manner.

Why GAO Did This Study

Critical infrastructure provides essential functions––such as supplying water, generating energy, and producing food––that underpin American society. Disruption or destruction of the nation's critical infrastructure could have debilitating effects. CISA is the national coordinator for infrastructure protection.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to report on the effectiveness of sector risk management agencies in carrying out responsibilities set forth in the act. This report addresses (1) how the act changed agencies' responsibilities, and the actions agencies have reported taking to address them; and (2) the extent to which CISA has identified and undertaken efforts to help agencies implement their responsibilities set forth in the act.

GAO analyzed the act and relevant policy directives, collected written responses from all 16 sectors using a standardized information collection tool, reviewed other DHS documents, and interviewed CISA officials.

Recommendations

The Director of CISA should establish milestones and timelines to complete its efforts to help sector risk management agencies carry out their responsibilities. DHS concurred with the recommendation. Additionally, GAO has made over 80 recommendations which, when fully implemented, could help agencies address their statutory responsibilities.

Recommendations for Executive Action
Agency Affected
Cybersecurity and Infrastructure Security Agency

Recommendation
The Director of CISA should establish milestones and timelines for its efforts to provide guidance and improve coordination and information sharing that would help SRMAs implement their FY21 NDAA responsibilities, and ensure the milestones and timelines are updated through completion. (Recommendation 1)

Actions to satisfy the intent of the recommendation have not been taken or are being planned.

1 2 3 9