Research Outline

National Critical Functions

Goals

To understand what is at risk in national critical functions and what is desired to prevent them.

Early Findings

  • National Critical Functions are, "The functions of government and the private sector that are so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety." The full set of them is available here.
  • The National Risk Management Center (NRMC) has several steps it uses to protect NCFs. Once identifed, it then, "engage[s] with stakeholders to conduct risk analysis ; assess[es] risk from interdependencies and concentrated dependence on technology ; use[s] risk and scenario analysis to build a tiered Risk Register; consider[s] risk and readiness for action to prioritize plans ; convene[s] teams to develop collaborative strategies ; and coordinate[s] risk management and implementation plans."
  • The Cybersecurity and Infrastructure Security Agency works with the NRMC to protect NCFs. Some activities they are now pursuing, now that the NCFs have been determined, include, "Supporting Infrastructure and Programmatic Prioritization, Conducting Detailed Operational and Risk Analysis , Informing Intelligence Collection Requirements , Supporting Incident Management Prioritization , Setting Priorities for Investments in Infrastructure Security and Resilience, Supporting National Security Decision Making."
  • The NCFs were only set in late April, so an elaborate framework for preventing/protecting them has not been officially established.
  • Since 9/11, US policy has evolved to an attitude of system resiliance over asset protection. It now reflects a blended approach to CI protection and CI resiliance.
  • The government generally relies on the private sector to voluntarily adopt risk management of critical infrastructure. The main incentives here are improved access to risk management resources from the government and the opportunity to engage and develop risk policy through direct participation.
  • Government regulation for national critical functions is still limited. Where they are regulated, the two roles (regulation and responsibility) are usually separated into separate agencies.
  • This attitude is confirmed to carry on, via information from the Department of Homeland Security. It relies on public-private partnership and voluntary compliance. The CISA released its "Strategic Intent" document in August, which continues to call for private-publioc collaboration. For in-depth information about certain issues like 5G and China (supply chain) are available here.