Performance evaluation

CISA Not Doing Enough to Support Communications Sector, GAO Says

The Government Accountability Office said the Cybersecurity and Infrastructure Security Agency has not assessed the effectiveness of its programs and services to support the communications sector.

In a recent report, the GAO noted that CISA has not determined which types of infrastructure owners and operators may benefit most from its cybersecurity initiatives, and, as a result, could be underrepresented in information-sharing activities, Homeland Security Today reported.

In view of the shortcomings, the GAO urged the agency to immediately assess the effectiveness of its programs supporting the communications sector. The watchdog called on CISA to develop and implement metrics as well as other methods of analyzing the feedback received from the communications industry’s stakeholders to determine the relevance of efforts supporting the sector’s security and resilience.

The GAO also asked CISA to complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities and conducting a capability gap analysis to identify if and where other resources may be needed.

Furthermore, it was also recommended that CISA produce a revised Communications Sector-Specific Plan, to include goals, objectives and priorities that address new and emerging threats and risks to the sector and that are in alignment with sector risk management agency responsibilities.

Meanwhile, CISA officials told GAO that they have not assessed the effectiveness of actions to support the communications sector due to challenges in developing metrics to measure the effectiveness of its actions, including collecting voluntary information from sector owners and operators.

CISA is the designated lead agency, or sector risk management agency, responsible for coordinating efforts to help protect and improve the security and resilience of the communications sector. It primarily supports the communications sector through incident management and information-sharing activities, Homeland Security Today reported.