Over the past six months, the Cybersecurity and Infrastructure Security Agency (CISA) has engaged in a far-reaching effort in partnership with the Sector Coordinating Councils, the SLTT Government Coordinating Council, and associated Sector Specific Agencies, as well as other partners to identify and validate a set of National Critical Functions.
National Critical Functions are defined as:
The functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
The National Critical Functions construct provides a risk management approach that focuses on better understanding the functions that an entity enables or to which it contributes, rather than focusing on a static sector-specific or asset world view. This more holistic approach is better at capturing cross-cutting risks and associated dependencies that may have cascading impact within and across sectors. It also allows for a new way to view criticality, which is linked to the specific parts of an entity that contribute to critical functions. By viewing risk through a functional lens, we can ultimately add resilience and harden systems across the critical infrastructure ecosystem in a more targeted, prioritized, and strategic manner.
A functional approach is featured in the National Cyber Strategy, which focuses national attention on ensuing cybersecurity is thought of as part of national security. The Executive Order on Coordinating National Resilience to Electromagnetic Pulses also leverages the definition of National Critical Functions to call on the critical infrastructure community to better understand the effects of electromagnetic pulses through assessment and prioritization of National Critical Functions.
- Download the National Critical Functions Overview
Utility of National Critical Functions
The National Critical Functions are a springboard for a wide range of risk management activity including:
- Supporting Infrastructure and Programmatic Prioritization
- Conducting Detailed Operational and Risk Analysis
- Informing Intelligence Collection Requirements
- Supporting Incident Management Prioritization
- Setting Priorities for Investments in Infrastructure Security and Resilience
- Supporting National Security Decision Making
- Enhancing the Efficacy of Continuity Efforts
A key component of CISA’s strategy will be to use the National Critical Functions to conduct the activities listed above. It will be supported by continued doctrinal and policy evolution as well as close coordination across the interagency and the critical infrastructure community. Ultimately, the set of National Critical Functions is a launching pad for executing a more advanced approach to cybersecurity and critical infrastructure security and resilience. The National Critical Functions do not directly set national priorities but they support a more strategic way of doing so.
Next Steps: Building a Risk Register
The National Critical Functions construct – being a new “language” that we can use to talk about critical infrastructure risk management – is also a foundational element for the development of a Risk Register. By performing risk and dependency analysis and consequence modeling, CISA will identify scenarios that could potentially cause national-level degradation to National Critical Functions. This will result in a tiered Risk Register – prioritizing areas of national risk to critical infrastructure in need of mitigation and collective action. The process for developing the Risk Register will involve representatives from across government and industry and combine analysis, with policy judgment and operational insight.
Throughout the Risk Register development process, CISA will be looking for information to help answer the question of “what keeps you up at night.” Specifically:
- Scenarios: identifying scenarios that could plausibly cause National-level degradation of NCFs.
- Risk Attributes: identifying likelihood and consequence information associated with each scenario leveraging existing sources, such as sector risk assessments, where possible.
- Dependencies: mapping out how disruptions to one NCF could cascade and impact other NCFs.
- Readiness: gauging existing risk management efforts and the degree that stakeholders are ready to further engage in communitywide efforts to mitigate risks.
The Risk Register will be a document developed by CISA that we also intend to share as appropriate within the critical infrastructure community – including Government and Sector Coordinating Councils. Portions of the Risk Register may have higher classification levels. Regardless, we are committed to ensuring the right people in the critical infrastructure community receive actionable information to make informed risk management decisions.
The set of National Critical Functions and the subsequent Risk Register are not meant to be static snapshots. Engagement with sector and federal partners will be ongoing as both of these products are updated periodically.
In addition, CISA will be working with leadership from the critical infrastructure community to maximize the utility of the National Critical Functions for risk management. Policy, doctrine, and process enhancements will continue and additional analysis will support identification of priorities and the commencement of structured risk management initiatives, such as CISA’s ongoing Election Security Initiative.
National Critical Functions
National Critical Functions enable the organization of similar critical infrastructure operations across sector lines. These National Critical Functions are organized and presented in four areas – supply, distribute, manage, and connect - for ease of communicating the functions. Our economy and our way of life depend on the supply of materials, goods, and services. Goods, people and utilities move in, out, and across the United States through distribution functions. Effective, safe, efficient, lawful, and responsive management drives our way of life, our economy, and the cohesion of our society. Technology platforms and the connections they enable underpin interactions on a daily basis and in the face of crisis. The following functions are critical to the Nation as a whole.
The National Risk Management Center (NRMC) is a planning, analysis, and collaboration center working to identify, analyze, prioritize, and manage the most strategic risks to the Nation’s critical infrastructure. For more information, contact NRMC@hq.dhs.gov or visit CISA.gov