The Government Accountability Office (GAO) has recommended that the Cybersecurity and Infrastructure Security Agency (CISA) should set new expected dates of completion for tasks in the third phase of its organizational plan that are past their planned completion dates and prioritize tasks that are key to mission effectiveness.
GAO made the recommendation after it found that CISA had concluded only 37 of 97 planned phase three tasks by mid-February and that 42 of those unfinished tasks were past their planned dates of completion, including the release of a memo that outlines incident management roles across CISA and finalization of mission-critical functions of divisions within the agency, according to a report published Wednesday.
“Until it establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, CISA will be hindered in meeting the goals of its organizational transformation initiative. This in turn may impair the agency's ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage,” the GAO report reads.
CISA’s organizational transformation initiative has three phases and the congressional watchdog found that the agency within the Department of Homeland Security completed the first two of the phases that led to the consolidation of multiple centers for incident response and creation of a new organization chart, among others. The third phase is focused on implementing CISA’s planned organizational changes.
GAO also recommended that CISA establish an overall deadline to complete its organizational plan, develop a strategy for workforce planning and devise plans to develop outcome-oriented performance measures to assess whether the agency’s efforts meet the goals of its organizational transformation initiative.