March 12, 2024 at 06:27PM
The GAO study found that some teams at CISA were inadequately staffed in providing OT products and services. While most entities had positive experiences, there were complaints about insufficient staff, such as four federal employees and five contractors for threat hunting and incident response. Staff shortages resulted in unmet requests, prompting GAO to recommend more effective workforce planning.
Based on the meeting notes, the key takeaways are:
1. The Government Accountability Office (GAO) recently conducted a study on operational technology (OT) products and services provided by CISA and found that some teams were inadequately staffed.
2. CISA is the primary agency assisting critical infrastructure organizations in assessing risks in industrial control systems (ICS) as OT environments are increasingly targeted by malicious actors. It provides risk analysis, evaluation and analysis tools, best practices guidelines, security advisories, and training and exercises.
3. Of the 13 non-federal entities surveyed by GAO, including researchers contributing to CISA’s OT advisories and OT vendors in a CISA collaboration group, 12 reported positive experiences with CISA’s OT products and services. However, there were complaints about insufficient staffing.
4. An example highlighted that the threat hunting and incident response team lacked adequate staffing, with only four federal employees and five contractors, which was deemed insufficient to respond to OT cyberattacks in varying locations.
5. Over a four-year period, CISA was only able to fulfill 125 of 572 requests related to OT products and services due to staff shortages.
6. CISA claims to be working to address these shortages, but the GAO recommends that the agency executes more effective workforce planning.
Please let me know if you need further details or any additional information.