The Cybersecurity and Infrastructure Security Agency (CISA) has a number of programs and services it uses to support the security of the nation’s communications sector, but the agency hasn’t assessed the effectiveness of these efforts and hasn’t developed metrics to measure its support, the Government Accountability Office (GAO) says in a new report.
The agency also “has not evaluated feedback it has received from the Communications Sector owners and operators to determine if those entities found its programs and services useful or relevant,” the report says, adding that CISA hasn’t assessed which types of sector owners and operators—large or small providers—benefit most from its programs.
GAO says that the Department of Homeland Security’s framework for managing risk among critical infrastructures encourages the use of metrics to analyze the effectiveness of activities to strengthen the security and resilience of these infrastructures.
The risks identified by DHS to the communications sector include physical, cyber and human threats, around which CISA has developed programs and services to lend support. These activities include incident management, information sharing, cybersecurity programs, field support, education and other initiatives.
During its investigation, GAO said that CISA said has had challenges in developing metrics to assess the performance of its programs, “including collecting voluntary information from sector owners and operators.”
In the cybersecurity space, CISA works with the private sector on a voluntary basis. GAO noted that CISA does seek feedback from industry on assessments conducted by the agency.