The Cybersecurity and Infrastructure Security Agency won’t be fully up and running until it implements its third and final phase of organizational changes, according to a new report.
While the CISA Act of 2018 elevated the agency and saw it create a new organization chart and consolidate incident response centers and infrastructure security points of contact, 57 planned tasks were incomplete as of mid-February, the Government Accountability Office reported.
Until CISA’s organizational changes are finished, it will remain “difficult” for the agency to confront national cyber incidents like the SolarWinds hack that compromised at least nine federal agencies, reads GAO’s report.
“Until it establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, CISA will be hindered in meeting the goals of its organizational transformation initiative,” the report states. “This in turn may impair the agency’s ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage.”
CISA planned to finish the initiative in December, and all major tasks were completed by then, according to the agency. But CISA has yet to finalize mission-essential functions of its divisions or issue a memo defining incident management roles and responsibilities.
The agency’s deputy director and chief of transformation told GAO in November that delays were due to a need to obtain buy-in from government, including Congress, and industry. Coordination between Department of Homeland Security leadership and the Office of Management and Budget also took longer than expected, delaying later tasks dependent upon earlier ones.
Tasks affecting CISA employees need to be done right, and the COVID-19 pandemic has had “minimal impact” on completion, according to officials.
GAO recommended CISA set new expected completion dates for 42 tasks past their planned deadlines while prioritizing mission-critical ones. CISA already plans to create an updated, prioritized task list and reset its overall deadline for March 2021, the agency responded.
CISA generally addressed four reforms around using data and evidence, but five around workforce planning were only partially addressed.
“Workforce planning is especially important for CISA, given the criticality of hiring and retaining experts who, among other things, can help identify and respond to complex attacks,” reads GAO’s report. “CISA did conduct an initial assessment of its cybersecurity workforce in 2019; however, it is still working on analyzing capability gaps and determining how to best fill those gaps.”
A recommendation to ensure CISA’s employee performance management system aligns with the agency’s new organizational structure and goals remains unaddressed, despite officials’ assertion to the contrary, according to GAO.
GAO recommended CISA address outstanding reforms, to which the agency responded it’s working to create performance measures and a comprehensive workforce planning strategy.
Select government and industry partners across 16 infrastructure sectors — banking and financial institutions, telecommunications, and energy among them — told GAO they had challenges coordinating with CISA.
A total of seven partners reported a lack of clarity on organizational changes, seven a lack of involvement developing guidance, five a lack of timely response, three an inconsistent distribution of information, and three a lack of access to actionable intelligence.
CISA is tracking stakeholder inquiries for timely responses and holding tailored intelligence briefings, but it needs to address the three outstanding infrastructure challenges, GAO recommended.