The National Risk Management Center (NRMC) supports CISA’s Cyber and Infrastructure Security Mission by creating an environment where government and industry can collaborate within and across sectors to develop plans and solutions for reducing cyber and other systemic risks to national and economic security. NRMC turns analysis into action by developing risk management solutions.
CISA works in close coordination with other federal agencies, the private sector and other key stakeholders in the critical infrastructure community to Identify, Analyze, Prioritize, and Manage the most strategic risks to the Nation’s critical infrastructure.
CISA’s risk management efforts aim to build on legacy programs that historically have focused on critical infrastructure from the perspective of assets and organizations, not systems and functions. This evolved approach addresses system-wide and cross-sector risks. Sector expertise should inform efforts, and influence our understanding of how to manage risk to National Critical Functions.
- Publish National Critical Functions
- Convene public and private stakeholder groups connected by functions
- Identify and validate scenarios of concern
- Engage with stakeholders to conduct risk analysis
- Assess risk from interdependencies and concentrated dependence on technology
- Use risk and scenario analysis to build a tiered Risk Register
- Consider risk and readiness for action to prioritize plans
- Convene teams to develop collaborative strategies
- Coordinate risk management and implementation plans
What are National Critical Functions?
The functions of government and the private sector that are so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety.
This set was developed through a far-reaching partnership effort with the critical infrastructure community via the Sector Coordinating Councils, associated Sector Specific Agencies, the SLTT Government Coordinating Council, and other stakeholders.
Why is the National Critical Functions Construct Important?
The National Critical Functions construct provides a risk management lens that focuses less on a static, sector-specific or asset world view, and instead focuses on the functions an entity contributes to or enables. This allows for more holistically capturing cross-cutting risks and associated dependencies that may have cascading impact within and across sectors.
It also contributes to a new view of criticality which is linked to the specific parts of an entity that contribute to critical functions. By viewing risk through a functional lens, we can ultimately add resilience and harden systems across the critical infrastructure ecosystem in a more targeted, prioritized, and strategic manner.
The National Critical Functions approach to risk management is featured in the National Cyber Strategy and the DHS Cybersecurity Strategy. Similarly, the Executive Order on Coordinating National Resilience to Electromagnetic Pulses leverages the definition of National Critical Functions to call on the critical infrastructure community to better understand the effects of electromagnetic pulses through assessment and prioritization of National Critical Functions.
What Comes Next – Using National Critical Functions to Create a Risk Register
The National Critical Functions construct – being a new “language” that we can use to talk about critical infrastructure risk management – is also a foundational element for the development of a Risk Register. By performing risk and dependency analysis and consequence modeling, CISA will identify scenarios that could potentially cause national-level degradation to National Critical Functions. This will result in a tiered Risk Register that prioritizes areas of national risk to critical infrastructure in need of mitigation and collective action. The process for developing the Risk Register will involve representatives from across government and industry and combine analysis, with policy judgment and operational insight.
The Risk Register will not be a public document and may potentially have portions at higher classification levels. Regardless, we are committed to ensuring the right people in the critical infrastructure community receive actionable information to make informed risk management decisions.
National Critical Functions Resources