The Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA) released a list of 55 “national critical functions” today, signaling a shift from protecting specific critical infrastructure sectors to protecting specific activities that are crucial to the country.
The functions are divided into four different areas:
- Supply, which focuses on providing resources to the public;
- Distribute, which has a heavy focus on the movement of goods and people;
- Manage, which is the largest bucket with a variety of functions; and
- Connect, which focuses on telecommunications and internet services.
To meet the threshold of a national critical function, an activity must be “so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof,” according to CISA’s definition.
“The National Critical Functions construct provides a risk management approach that focuses on better understanding the functions that an entity enables or to which it contributes, rather than focusing on a static sector-specific or asset world view,” CISA said in a statement.
Of particular interest to Federal IT will be functions such as:
- Provide Information Technology Products and Services;
- Conduct Elections;
- Perform Cyber Incident Management Capabilities;
- Protect Sensitive Information;
- Provide Identity Management and Associated Trust Support Services;
- Operate Core Network;
- Provide Positioning, Navigation, and Timing Services; and
- Provide Internet Based Content, Information, and Communication Services.
“Ultimately, the set of National Critical Functions is a launching pad for executing a more advanced approach to cybersecurity and critical infrastructure security and resilience. The National Critical Functions do not directly set national priorities but they support a more strategic way of doing so,” CISA stated.
The next step for the agency will be to create a risk register to find the scenarios, dependencies, risk attributes, and readiness that keeps industry up at night.