CISA National Critical Functions Updates Reflect Reframing of How Risks Are Managed

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a status update on its work with the National Critical Functions (NCFs), which has focused on a decomposition of each of the 55 NCFs to enable a deeper understanding of how critical functions like supplying water and managing wastewater are provided and where failures might occur and that might point to sustainable risk reduction solutions.

Within CISA, the National Risk Management Center (NRMC) leads the NCF efforts and, with interagency and industry partners, identified the sub-functions in each NCF over the past year, finding 294 primary sub-functions and 1,059 secondary sub-functions. Currently, the NRMC is working with partners to validate the decompositions.

The NRMC uses the NCFs as a framework and reference point for where it should focus critical infrastructure risk assessments. The NRMC has six categories of risk assessments it performs, one of which is to provide threat of hazard specific risk analysis that answers the question of which NCFs are most susceptible to a specific threat or hazard (such as electromagnetic pulse). To further support its risk assessment ability, the NRMC is developing the “Risk Architecture,” a technology-enabled tool that will integrate the decomposition data and other information to run analytical models and simulations.

The status update concludes with a series of steps NRMC intends to take in the future. The NRMC notes it will further break down NCFs into their constituent systems, assets, and components to characterize them more completely and answer specific analytic questions. It also states it will further develop the NCF Framework as a tool for operational analysis, among other actions.

Read more at CISA.