Critical Infrastructure Protection: CISA Should Improve Priority Setting, Stakeholder Involvement, and Threat Information Sharing

The risk environment for critical infrastructure ranges from extreme weather events to physical and cybersecurity attacks. The majority of critical infrastructure is owned and operated by the private sector, making it vital that the federal government work with the private sector, along with state, local, tribal, and territorial partners. The Cybersecurity and Infrastructure Security Agency (CISA) is the lead federal agency responsible for overseeing domestic critical infrastructure protection efforts. The U.S. Government Accountability Office (GAO) was asked to review CISA’s critical infrastructure prioritization activities. This report examines (1) the extent to which the National Critical Infrastructure Prioritization Program currently identifies and prioritizes nationally significant critical infrastructure, (2) CISA’s development of the National Critical Functions framework, and (3) key services and information that CISA provides to mitigate critical infrastructure risks. GAO analyzed agency documentation and conducted interviews with critical infrastructure stakeholders representing the energy, water and wastewater systems, critical manufacturing, and information technology sectors; six of 10 CISA regions; and six states to understand the need for any improvements to CISA’s efforts, among other things. GAO selected these six states based on population size and the amounts of grant awards received from the Department of Homeland Security's (DHS’s) State Homeland Security Program.

Language

  • English

Media Info

  • Media Type: Digital/other
  • Features: Appendices; Figures; Maps; Photos; References; Tables;
  • Pagination: 61p

Subject/Index Terms

Filing Info

  • Accession Number: 01838781
  • Record Type: Publication
  • Report/Paper Numbers: GAO-22-104279
  • Files: TRIS
  • Created Date: Mar 17 2022 9:04AM