The Department of Homeland Security’s agency that oversees its cyber security efforts on Tuesday released the initial set of core functions that are critical to national security writ large for further analysis and consequence modeling.
The set of 55 National Critical Functions include things like provide Internet routing, access and connection services, transmit electricity, generate electricity, maintain access to medical records, and conduct elections. The functions are aligned within four categories, which are connect, distribute, manage and supply.
The Cybersecurity and Infrastructure Security Agency (CISA) defines the National Critical Functions as “used or supported by government and the private sector that are of such vital importance to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The functions were established through a collaborative effort by officials at various government levels and industry stakeholders with the effort led by CISA’s National Risk Management Center (NRMC). With the functions in hand, the next step is the agency to work with its partners to develop a Risk Register to better understand how likely a function could be impaired and the significance of the impairment, and assess readiness levels of government and industry to “work together to reduce risk” and to establish priority areas of national risk, DHS said.
The National Critical Functions cut across the nation’s critical sectors, creating interdependencies between the sectors.
“Identifying these National Critical Functions has been a collaborative process between public and private sector partners and marks a significant step forward in the way we think about and manage risk,” CISA Director Chris Krebs said in a statement. “By moving from an individual, sector-specific lens to a more strategic and prioritized manner.”
Creation of the Risk Register will also be a collaborative effort between stakeholders.
On its website, CISA says the Rick Register won’t be made public but that the people that need to know within the nation’s critical infrastructures will receive “actionable information” to make risk informed decisions. The register will be tiered and be created using risk and dependency analysis and consequence modeling.
The set of functions was directed by the National Cyber Strategy and the DHS Cybersecurity Strategy last year.