A new report from the U.S. Government Accountability Office (GAO) finds that until the Cybersecurity and Infrastructure Agency (CISA) fully implements its organization plan, it may put the country at risk for identifying and responding to cyberattacks.
The GAO said legislation in 2018 elevated Cybersecurity and Infrastructure Security to an agency within the Department of Homeland Security. DHS launched an organizational transformation initiative that fell into three phases. The GAO found that CISA had completed two of those three phases.
“While CISA intended to fully implement the transformation by December 2020, it had completed 37 of 94 planned tasks for phase three by mid-February 2021,” the GAO said in its report. “Among the tasks not yet completed, 42 of them were past their most recent planned completion dates. Included in these 42 are the tasks of finalizing the mission-essential functions of CISA’s divisions and issuing a memorandum defining incident management roles and responsibilities across CISA.”
Those tasks are critical to CISA’s transformation, the GAO said, as well as its ability to effectively and efficiently carry out its mission.
The GAO said the agency had yet to establish an overall deadline for completing the transformation initiative and that until it carries out the final phase of its transformation initiative, it may “impair the agency’s ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage.”
Additionally, the GAO found that some government and private-sector stakeholders from the sectors considered to be critical infrastructures, like financial institutions, telecommunications, and energy, reported having challenges coordinating with CISA.
The GAO recommended CISA establish a new expected completion date for the last phase of the transformation initiative, as well as completion dates for the tasks that are part of that final phase. The GAO also recommended the agency address reform practices and infrastructure challenges.
The Department of Homeland Security agreed with the recommendations, the GAO said.