CISA Should Set Deadline for Full Implementation of Organization Plan, GAO Says
The Cybersecurity and Infrastructure Security Agency might struggle to identify and respond to cybersecurity incidents until it fully implements its organization plan, the Government Accountability Office said in a report.
GAO said CISA has so far finished two of the three phases of its plan, and that only a third of the final phase has been completed. The final phase was due for completion in December 2020, Homeland Preparedness News reported.
According to GAO, CISA had completed 37 of 94 planned tasks for phase three as of mid-February. Forty-two of the incomplete tasks were past the agency’s most recent planned completion dates.
Among the 42 tasks are the finalization of the mission-essential functions of CISA’s divisions and the issuing of a memorandum defining incident management roles and responsibilities.
Such tasks are apparently critical to CISA’s transformation initiatives and its ability to effectively execute cybersecurity operations, GAO added in the report.
The government watchdog recommended that CISA establish new expected completion dates for the final phase of its organization plan as well as an overall deadline for the completion of its transformation initiative. CISA has agreed with the recommendations.
GAO said it conducted the study after CISA’s national security role was elevated by the discovery of the SolarWinds data breach in December 2020.
The Russia-linked hack compromised the networks of several federal government agencies and about a hundred American companies.
CISA acting Director Brandon Wales has acknowledged weaknesses in the government’s Einstein intrusion detection system, whose perimeter-focused security measures were expected to deter the SolarWinds breach.
Former CISA Director Chris Krebs, a two-time Wash100 winner, has told the House Homeland Security Committee that the United States should expect similar cyber attacks from China, Russia, Iran and North Korea.
Tags: Brandon Wales Chris Krebs CISA cybersecurity Department of Homeland Security DHS GAO Government Accountability Office national security SolarWinds transformation Wash100