The Department of Homeland Security recently issued a report offering a functional approach to critical infrastructure risk management. The deputy associate director of the National Risk Management Center explains more.
Last month, the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), published two important resources that deserve special attention. While many of these CISA status reports may seem a bit like “alphabet soup” to those not familiar with the process, the importance of this National Critical Function (NCF) topic is paramount to our joint efforts to protect our nation’s critical infrastructure from numerous threats.
The "NCF: Status Update to the Critical Infrastructure Community" was released directly to stakeholders in July 2020, and the NCF Fact Sheet is new.
The release of this NCF report on progress in protecting our National Critical Functions is ground-breaking. In order to better understand the importance of this topic and dive deeper into what it means, I interviewed Thad Odderstol, deputy associate director of the National Risk Management Center.
Mr. Odderstol has an impressive career track record with extensive public- and private-sector experience. He was the information security risk management lead at Freddie Mac; a security specialist with Deloitte; the director of strategy, engagement and program management at the U.S. Department of Health and Human Services; and the director of industry engagement and resilience for DHS, as well as directing critical infrastructure protection cyber security for DHS.
I have known Thad for well more than a decade, and we worked together in DHS’s early efforts on critical infrastructure protection, while I was Michigan CISO and during the Bush and Obama administrations when he was with DHS. He is very smart and well-respected in the industry, and I can think of no one better to update us on these recent developments and important reports.
Dan Lohrmann (DL): How did this consolidated report develop? How often will it be updated?
Thad Odderstol (TO): National Risk Management Center (NRMC) engagement with partners has been critical to development of the National Critical Functions (NCF) approach to risk management. Partners across sectors have dedicated time and subject-matter expertise to elicitation sessions to connect the sectors to the 55 NCFs. We owed them a comprehensive update on the status of the NCFs and development of the associated risk architecture overall.
The Status Update also sets the stage for year two of the NRMC’s NCF work. This fall, the NCF team will begin collaborating with critical infrastructure sectors to support a number of key activities to discuss sector mapping and stakeholder analysis with the NCFs; determine approaches to sector collaboration to inform NCF decomposition analysis efforts; help increase understanding of priority areas where the NRMC can provide analytical support; and identify opportunities to incorporate NCF risk analysis into existing-sector risk management planning, information sharing, coordination and response, and capability development efforts.
As we move forward with sector partners, we will evaluate the need to release additional updates based on their feedback.
DL: Most of these critical functions are run by the private sector, so what is the role of DHS CISA in managing cyber-risk in these areas? How is this being accomplished?
TO: CISA is the nation’s risk adviser. We help build awareness and understanding of cyber and physical risks to critical infrastructure, and we provide our partners with advice and resources to help manage those risks. Within CISA, the NRMC’s focus is on collaborating with partners to analyze and prioritize risks to the NCFs, including cyber-risks that have the potential to impact and degrade functions that support national and economic security, public health and safety.
A key effort that supports NCF risk analysis is to support decomposition across the different critical functions, which will identify and characterize the systems required for them to operate to better understand interconnections between sectors and functions. We anticipate uncovering new sources of risk and bringing known risks into sharper focus. We can then work within our partnership structure to develop cross-sector communities of interest to address these issues.
The Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force is a great example of how public- and private-sector partners from multiple sectors can come together to tackle a carefully defined source of risk. Representatives of the IT and communication sectors are primary participants with a focus on securing the supply chain for these sectors. The goal of the ICT SCRM Task Force is to develop strategic and operational risk reduction recommendations to make the supply chain more resilient. More information is available at www.cisa.gov/ict-scrm-task-force.
DL: There are clear vulnerabilities in most of these critical infrastructure areas, so how are risk mitigation efforts improving overall?
TO: DHS and its partners across government and industry have made great strides over the last 15-plus years addressing risks to critical infrastructure. Much of this valuable work focused within sectors or on specific assets and entities. The NCFs will allow us to better identify and characterize cross-sector risks, as well as to better inform the prioritization of risk management coordination, planning and capabilities where there’s shared risk ownership, and to more effectively reduce national-level risks. Major hazards like COVID-19 are complex and cross-sector, so risk analysis and mitigation require a different assessment of sector interdependencies.
DL: With so many activities happening in so many NCFs, how are these prioritized? What are the top priorities over the next six months?
TO: The NCFs are defined as “the functions of government and the private sector that are so vital to the United States that their disruption, corruption or dysfunction would have a debilitating effect on security, national economic security, national public health or safety.” So, risk to any NCF is a serious concern. We prioritize analysis of NCF risks based on the requirements for specific projects. General criteria include NCFs subject to strategic risks; NCFs vulnerable to specific threats/hazards; NCFs with gaps in understanding of stakeholders or risk management strategies; or those aligned to ongoing initiatives.
The big risk driver right now is COVID-19, which creates risk in numerous NCFs. COVID-19 presents obvious risks to the Support Community Health NCF, and social distancing measures potentially create cybersecurity risk as workers shift to telework. Changes in supply, demand and availability of essential workers have implications for critical infrastructure operations, too.
DL: How do state and local governments get involved in these critical infrastructure efforts? Where can those interested in helping go to become more engaged?
TO: Our coordination on NCFs is conducted primarily through the council structure described in the National Infrastructure Protection Plan (NIPP). State and local government perspectives are represented on several of these councils. The State, Local, Tribal and Territorial Government Coordinating Council (SLTTGCC), one of the four cross-sector councils under NIPP, is composed exclusively of officials from this community. Critical infrastructure partners with specific questions about NCFs can email NRMC at NCF@hq.dhs.gov.
DL: Is there anything else you would like to add?
TO: We appreciate the interest in our NCF work. It’s a significant undertaking and a major advancement in how the critical infrastructure community analyzes risk. Continued support from this community will be important for its success.
DL: Thank you Thad for all your efforts and for answering my NCF reporting questions. I urge readers to visit the links above and learn more about our status on critical infrastructure protection and our National Critical Functions.
Never miss a story with the daily Govtech Today Newsletter.