CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector

The Communications Sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and sector stakeholders.

The communications sector—comprising mostly private broadcast, cable, satellite, wireless, and wired systems and networks—is vital to national security.

The Cybersecurity and Infrastructure Security Agency supports the security and resilience of this sector, primarily through incident management and information-sharing activities. For instance, the agency coordinates federal activities during severe weather events, and manages cybersecurity programs.

However, the agency has not assessed the effectiveness of its programs and services to support this sector. We recommended that it do so.

In addition, CISA determined that the Communications Sector depends on other critical infrastructure sectors—in particular, the Energy, Information Technology, and Transportation Systems Sectors—and that damage, disruption, or destruction to any one of these sectors could severely impact the operations of the Communications Sector.

CISA primarily supports the Communications Sector through incident management and information-sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs, but has not assessed the effectiveness of these actions. For example, CISA has not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA's cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services. By assessing the effectiveness of its programs and services, CISA would be better positioned to identify its highest priorities.

CISA has also not updated the 2015 Communications Sector-Specific Plan, even though DHS guidance recommends that such plans be updated every 4 years. As a result, the current 2015 plan lacks information on new and emerging threats to the Communications Sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation, and timing services. Developing and issuing an updated plan would enable CISA to set goals, objectives, and priorities that address threats and risks to the sector, and help meet its sector risk management agency responsibilities.

GAO is making three recommendations to CISA, including that CISA assess the effectiveness of its support to the Communications Sector, and revise its Communications Sector-Specific Plan. The Department of Homeland Security concurred with the recommendations. The Department of Commerce and the Federal Communications Commission did not provide comments on the draft report.

The Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. (Recommendation 1)

The Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. (Recommendation 2)

The Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. (Recommendation 3)

Electricity Grid Resilience

The nation’s grid delivers electricity that is essential for modern life. However, the grid faces risks from events that can damage electrical infrastructure (such as power lines) and communications systems, resulting in power outages. These outages can threaten the nation’s economic and national security.

They can also disproportionately affect low-income groups, in part because such groups have fewer resources to invest in backup generators and other measures to minimize the impact of outages.Even though most of the electricity grid is owned and operated by private industry, the federal government plays a key role in enhancing grid resilience.
• The Department of Homeland Security (DHS) is responsible for coordinating the overall federal effort to promote the security and resilience of the nation’s critical infrastructure sectors.
• The Department of Energy (DOE) leads federal efforts to support electricity grid resilience, including research and technology development by national laboratories.
• The Federal Energy Regulatory Commission (FERC) reviews and approves standards developed by the North American Electric Reliability Corporation, the federally designated U.S. electric reliability organization.

Key Issues
The electricity grid faces multiple risks that can cause widespread power outages.
Risks:
- Extreme weather and climate change
- Cyber- and physical attacks
- Electromagnetic events

In addition to the risks described in the prior page, the electric utility industry faces complex challenges and transformations, including:
• aging infrastructure;
• adoption of new technologies, such as information and communication systems
to improve the grid’s efficiency; and
• a changing mix of power generation. The traditional model of large, centralized power generators is evolving as retiring generators are replaced with variable wind and solar generators, smaller and more flexible natural gas generators, and nontraditional resources. Such resources include demand-response activities which encourage consumers to reduce their demand for electricity when the cost to generate electricity are high, and various technologies (e.g., solar panels) that generate electricity at or near where it will be used—known as “distributed generation.”

Key Opportunities
Agencies have implemented several of GAO’s recommendations for improving electricity grid resilience. For example, in March 2016, we recommended that DHS designate roles and responsibilities within the department for addressing electromagnetic risks, which DHS did in 2017. However, as of September 2021, agencies had not yet implemented a number of GAO recommendations that represent key opportunities to mitigate risks in the following areas:

- Extreme weather and climate change - Prioritize efforts and target resources effectively. Enhance grid resilience efforts. Better manage climate-related risks
- Cyberattacks - Assess all cybersecurity risks. Address risks to distribution systems Consider changes to current standards. Evaluate potential risks of a coordinated attack

TSA Takes Steps to Address Some Pipeline Security Program Weaknesses

The nation's pipelines are vulnerable to cyber-based attacks due to increased reliance on computerized systems. In May 2021 malicious cyber actors deployed ransomware against Colonial Pipeline's business systems. The company subsequently disconnected certain systems that monitor and control physical pipeline functions so that they would not be compromised.
Protecting the nation's pipeline systems from security threats is a responsibility shared by both the Transportation Security Administration (TSA) and private industry stakeholders. Prior to issuing a cybersecurity directive in May 2021, TSA's efforts included issuing voluntary security guidelines and security reviews of privately owned and operated pipelines. GAO reports in 2018 and 2019 identified some weaknesses in the agency's oversight and guidance, and made 15 recommendations to address these weaknesses. TSA concurred with GAO's recommendations and has addressed most of them, such as clarifying portions of its Pipeline Security Guidelines improving its monitoring of security review performance, and assessing staffing needs.
As of June 2021, TSA had not fully addressed two pipeline cybersecurity-related weaknesses that GAO previously identified. These weaknesses correspond to three of the 15 recommendations from GAO's 2018 and 2019 reports.
Incomplete information for pipeline risk assessments. GAO identified factors that likely limit the usefulness of TSA's risk assessment methodology for prioritizing pipeline security reviews. For example, TSA's risk assessment did not include information consistent with critical infrastructure risk mitigation, such as information on natural hazards and cybersecurity risks. GAO recommended that TSA develop data sources relevant to pipeline threats, vulnerabilities, and consequences of disruptions. As of June 2021, TSA had not fully addressed this recommendation.
Aged protocols for responding to pipeline security incidents. GAO reported in June 2019 that TSA had not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline security threats, including those related to cybersecurity. GAO recommended that TSA periodically review, and update its 2010 plan. TSA has begun taking action in response to this recommendation, but has not fully addressed it, as of June 2021.
TSA's May 2021 cybersecurity directive requires that certain pipeline owner/operators assess whether their current operations are consistent with TSA's Guidelines on cybersecurity, identify any gaps and remediation measures, and report the results to TSA and others. TSA's July 2021 cybersecurity directive mandates that certain pipeline owner/operators implement cybersecurity mitigation measures; develop a Cybersecurity Contingency Response Plan in the event of an incident; and undergo an annual cybersecurity architecture design review, among other things. These recent security directives are important requirements for pipeline owner/operators because TSA's Guidelines do not include key mitigation strategies for owner/operators to reference when reviewing their cyber assets. TSA officials told GAO that a timely update to address current cyber threats is appropriate and that they anticipate updating the Guidelines over the next year.

GAO Cybersecurity Report and Recommendations for HHS

The Government Accountability Office (GAO) wants HHS to improve cybersecurity efforts by strengthening collaboration within the department and with the broader healthcare sector.
Health care organizations' IT systems are critical to the nation's well-being. Cyberattacks on them could, for example, put patient privacy at risk or disrupt essential telehealth services. (The nation's cybersecurity is on our High Risk List.)
The Department of Health and Human Services coordinates with health care organizations and others to support cybersecurity efforts. Its policies and procedures clearly describe roles and responsibilities, which is good for collaboration.
GAO is making seven recommendations to HHS to improve its collaboration and coordination within the department and the sector:
1. The HHS secretary should have the CIO overseeing the coordination and sharing of cybersecurity information between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center.
2. The HHS secretary should order the CIO to monitor, evaluate and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
3. HHS should direct the assistant secretary for preparedness and response to monitor, evaluate and report on the progress and performance of the Government Coordinating Council's Cybersecurity Working Group and HHS Cybersecurity Working Group.
4. HHS should have the CIO regularly monitor and update written agreements that describe how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will collaborate and ensure that officials review and approve the updated agreements.
5. HHS should direct the assistant secretary for preparedness and response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will manage collaboration.
6. HHS should have the assistant secretary for preparedness and response do the following: finalize written agreements that include a description of how the Government Coordinating Council's Cybersecurity Working Group will work together; identify the working group's roles and responsibilities; monitor and update the written agreements on a regular basis; and ensure that authorizing officials leading the working group approve the final agreements.
7. HHS should tell the assistant secretary for preparedness and response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials overseeing the group review and approve the updated charter.

GAO Report: Opportunities Exist for DOE to Better Support Utilities in Improving Resilience to Hurricanes

Hurricanes are a leading cause of major power outages in the U.S., impacting millions of customers in recent years. Utilities in hurricane-affected states have invested in ways to better equip their grids to withstand and rapidly recover from hurricanes. For example, some utilities have elevated equipment to protect grid infrastructure from flooding.
The Department of Energy and its National Laboratories are developing planning tools, such as metrics to track grid resilience. However, we recommended that DOE create a plan to better guide these efforts and to better inform utilities about available resources at its National Labs.
Since 2012, utilities have taken steps to improve grid resilience to severe hurricanes, such as (1) implementing storm hardening measures to enable the grid to better withstand the effects of hurricanes; (2) adopting technologies to enhance operational capacity and help quickly restore service following disruptions; and (3) participating in mutual aid programs with other utilities and training and planning exercises. For example, utilities have implemented storm hardening measures that include elevating facilities and constructing flood walls to protect against storm surges. Utilities have also adopted technologies that enhance communication capabilities and monitor systems to detect, locate, and repair sources of disruptions. However, these utilities reported challenges justifying grid resilience investments to obtain regulatory approval, and some utilities have limited resources to pursue such enhancements.
Various federal agencies can provide funding for efforts to enhance grid resilience to hurricanes, including the Department of Agriculture (USDA) and the Federal Emergency Management Agency (FEMA). However, eligibility for most federal funding for grid resilience, including some USDA and FEMA funding, is limited to publicly owned utilities and state, tribal, and local governments. The Department of Energy (DOE) does not provide direct funding for grid resilience improvements, but it has efforts under way, including through its National Laboratories, to provide technical assistance and promote research and collaboration with utilities. DOE has also initiated preliminary efforts to develop tools for resilience planning, including resilience metrics and other tools such as a framework for planning, but DOE does not have a plan to guide these efforts. Without a plan to guide DOE efforts to develop tools for resilience planning, utilities may continue to face challenges justifying resilience investments. In addition, DOE lacks a formal mechanism to inform utilities about the efforts of its National Laboratories. Such a mechanism would help utilities leverage existing resources for improving grid resilience to hurricanes.
Hurricanes pose significant threats to the electricity grid in some U.S. coastal areas and territories and are a leading cause of major power outages. In recent years, hurricanes have impacted millions of customers in these areas. Adoption of technologies and other measures could improve the resilience of the grid so that it is better able to withstand and rapidly recover from severe weather; this could help mitigate the effects of hurricanes.
This report examines (1) measures utilities in selected states have adopted to enhance grid resilience following major hurricanes since 2012 and any challenges utilities face funding such measures; and (2) federal efforts to support the adoption of measures to enhance grid resilience to hurricanes and any opportunities that exist to improve these efforts. For this report, GAO assessed agency and industry actions; reviewed relevant reports, policies, and documents; and interviewed federal, industry, and local officials.
GAO recommends that DOE (1) establish a plan to guide its efforts to develop tools for resilience planning, and (2) develop a mechanism to better inform utilities about grid resilience efforts at the National Laboratories. DOE agreed in principle with these recommendations, but its proposed actions do not fully address GAO's concerns.
Full report can be found here >>

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

DOD's network of sophisticated, expensive weapon systems must work when needed, without being incapacitated by cyberattacks. However, GAO reported in 2018 that DOD was routinely finding cyber vulnerabilities late in its development process.
A Senate report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review DOD's implementation of cybersecurity for weapon systems in development. GAO's report addresses (1) the extent to which DOD has made progress in implementing cybersecurity for weapon systems during development, and (2) the extent to which DOD and the military services have developed guidance for incorporating weapon systems cybersecurity requirements into contracts.
Since GAO's 2018 report, the Department of Defense (DOD) has taken action to make its network of high-tech weapon systems less vulnerable to cyberattacks. DOD and military service officials highlighted areas of progress, including increased access to expertise, enhanced cyber testing, and additional guidance. For example, GAO found that selected acquisition programs have conducted, or planned to conduct, more cybersecurity testing during development than past acquisition programs. It is important that DOD sustain its efforts as it works to improve weapon systems cybersecurity.
Contracting for cybersecurity requirements is key. DOD guidance states that these requirements should be treated like other types of system requirements and, more simply, “if it is not in the contract, do not expect to get it.” Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met. However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes. For example, GAO found that contracts for three of the five programs did not include any cybersecurity requirements when they were awarded. A senior DOD official said standardizing cybersecurity requirements is difficult and the department needs to better communicate cybersecurity requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable.
DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, but the guidance usually does not specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts. Among the four military services GAO reviewed, only the Air Force has issued service-wide guidance that details how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts. The other services could benefit from a similar approach in developing their own guidance that helps ensure that DOD appropriately addresses cybersecurity requirements in contracts.
GAO is recommending that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. DOD concurred with two recommendations, and stated that the third—to the Marine Corps—should be merged with the one to the Navy. DOD's response aligns with the intent of the recommendation.

Improved Performance Planning Could Strengthen Technology Transfer

A Department of Energy national lab developed a battery that now powers some hybrid and electric cars. But how do new energy technologies get from the lab to the market?
Transferring technologies from the DOE to private companies isn't always easy. Barriers such as the "valley of death"—a gap between the end of public funding and the start of private funding—can stop a transfer.
The Department of Energy (DOE) and its national labs have taken several steps to address potential barriers to technology transfer—the process of providing DOE technologies, knowledge, or expertise to other entities. GAO characterized these barriers as (1) gaps in funding, (2) legal and administrative barriers, and (3) lack of alignment between DOE research and industry needs. For example, the “valley of death” is a gap between the end of public funding and start of private-sector funding. DOE partly addresses this gap with its Technology Commercialization Fund, which provides grants of $100,000 to $1.5 million to DOE researchers to advance promising technologies with private-sector partners. Further, DOE's Energy I-Corps program trains researchers to commercialize new technologies and to identify industry needs and potential customers. However, DOE has not assessed how many and which types of researchers would benefit from such training. Without doing so, DOE will not have the information needed to ensure its training resources target the researchers who would benefit most.
DOE plans and tracks the performance of its technology transfer activities by setting strategic goals and objectives and annually collecting department-wide technology transfer measures, such as the number of patented inventions and licenses. However, the department does not have objective and measurable performance goals to assess progress toward the broader strategic goals and objectives it developed. For example, without a performance goal for the number of DOE researchers involved in technology transfer activities and a measure of such involvement, DOE cannot assess the extent to which it has met its objective to encourage national laboratory personnel to pursue technology transfer activities. Internal control standards for government agencies call for management to define objectives in measurable terms, either qualitative or quantitative, so that performance toward those objectives can be assessed. Moreover, DOE has not aligned the 79 existing measures that it collects with its goals and objectives, nor has it prioritized them. Some lab stakeholders said that collecting and reporting these measures is burdensome. Prior GAO work has found that having a large number of performance measures may risk creating a confusing excess of data that will obscure rather than clarify performance issues.

FAA Should Examine a Range of Options to Support U.S. Launch Infrastructure

Demand for commercial space launches is expected to increase. Twelve launch sites in The US held operator licenses in Aug. 2020, and 11 more were seeking licenses from the Federal Aviation Administration.
Congress asked the FAA to recommend ways to facilitate and promote investments in space transportation infrastructure. The FAA told the GAO that its response would focus on 2 existing FAA grant programs.
Launch providers support the deployment of people and payloads, such as national security and commercial satellites or research probes, into space. The majority of these providers told GAO that U.S. space transportation infrastructure—located at sites across the country—is generally sufficient for them to meet their customers' current requirements. This situation is in part a result of the launch providers' investments in launch sites, along with state and local funding. Launch providers and site operators alike seek future improvements but differ on the type and location of infrastructure required. Some launch providers said that infrastructure improvements would be required to increase launch capacity at existing busy launch sites, while a few site operators said that new infrastructure and additional launch sites would help expand the nation's overall launch capacity.
The Federal Aviation Administration (FAA) was directed by statute to make recommendations to Congress on how to facilitate and promote greater investments in space transportation infrastructure, among other things. However, FAA's initial draft report was limited because it focused only on two existing FAA programs, rather than a range of options. FAA officials stated that they did not examine other options because of limited time and resources, and that the two identified programs could be implemented quickly because FAA has administrative authority to manage them. Leading practices in infrastructure investment emphasize the importance of conducting an examination of potential approaches, which can help identify how best to support national interests; avoid overlap or duplication of federal effort; and enhance, not substitute, participation by non-federal stakeholders. An examination may also help identify alternatives to making funding available, such as increasing efficiency and capacity through technology improvements. By focusing only on these existing programs, FAA may overlook other options that better meet federal policy goals and maximize the effect of any federal investment. Although FAA has already prepared its initial report to respond to the statute, it still has opportunities, such as during subsequent mandated updates, to report separately on potential approaches.
Demand for commercial space launches is anticipated to increase in the coming years. FAA, the agency responsible for overseeing the sites where these launches occur, was directed by statute to submit a report—and update it every 2 years until December 2024—that makes recommendations on how to facilitate and promote greater investments in space transportation infrastructure.