The Government Accountability Office (GAO) has issued the Department of Homeland Security (DHS) a series of recommendations regarding chemical facility cybersecurity oversight.
Officials said DHS’s Chemical Facility Anti-Terrorism Standards (CFATS) program evaluates high-risk chemical facilities’ cybersecurity efforts via inspections, including reviewing policies and procedures, interviewing relevant officials, and verifying facilities’ implementation of agreed-upon security measures.
DHS guidance designed to aid 3,300 facilities in complying with cybersecurity and other standards has not been updated in over 10 years, and its cybersecurity training program for inspectors does not follow some essential training practices.
The GAO issued recommendations, including that the Assistant Director of the Infrastructure Security Division should implement a documented process for reviewing and, if necessary, revise its guidance for implementing cybersecurity measures at regularly defined intervals; and incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals. It was also recommended that DHS track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher training; develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms; develop a workforce plan that addresses the program’s cybersecurity-related needs, which should include an analysis of any gaps in the program’s capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them; and maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise.