CISA needs better workforce planning to handle operational technology risks, GAO says | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-workforce-ot-risks-gao-report\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA needs better workforce planning to handle operational technology risks, GAO says\"> <meta property=\"og:description\" content=\"The watchdog report finds that CISA has \u201cinsufficient\u201d staff to handle simultaneous attacks that impact OT systems.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-workforce-ot-risks-gao-report\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-03-07T21:52:44+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1709678820g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css,\/wp-content\/plugins\/embedpress\/Gutenberg\/dist\/blocks.style.build.css?m=1709662998\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/plugins\/embedpress\/assets\/css\/embedpress.css,\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1709325119\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-10\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-includes\/css\/dashicons.min.css,\/wp-content\/plugins\/embedpress\/assets\/css\/plyr.css?m=1709678820\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/79675\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=79675\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-workforce-ot-risks-gao-report%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-workforce-ot-risks-gao-report%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-79675 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-workforce-ot-risks-gao-report\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"23.99053030303\">\n<div class=\"single-article__header-content\" readability=\"29.686746987952\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The watchdog report finds that CISA has \u201cinsufficient\u201d staff to handle simultaneous attacks that impact OT systems. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"29.831800099453\"><body readability=\"62.886213124624\"><\/p>\n<p>The Cybersecurity and Infrastructure Security Agency has an understaffed and often ill-equipped workforce to deal with risks to the nation\u2019s key operational technology systems, the Government Accountability Office said in a new <a href=\"https:\/\/www.gao.gov\/assets\/d24106576.pdf\">report<\/a> Thursday.<\/p>\n<p>The crucial role that OT systems play in critical infrastructure makes them especially vulnerable to cyberattacks, but owners and operators told the GAO that they face challenges in working with CISA to combat those threats, citing a lack of agency staffers that have the \u201cnecessary skills.\u201d <\/p>\n<p>In producing the report, the GAO spoke with officials from CISA and 13 nonfederal entities about the various OT-related challenges they face. Those entities included councils that represented OT-prevalent sectors and subsectors with infrastructures especially vulnerable to cyber threat risks, OT vendors that participated in a CISA collaboration group, and cybersecurity researchers that assisted in the development of CISA\u2019s OT advisories. <\/p>\n<p>While 12 of the 13 detailed positive experiences with CISA\u2019s OT products and services, seven also highlighted negative experiences, including one that cited a year-plus gap between the first report of a vulnerability and the public disclosure from CISA.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>CISA officials and one nonfederal entity were aligned in acknowledging that the agency has \u201cinsufficient\u201d staff with compulsory OT skills; there are just four federal employees and five contractors at CISA who work on threat hunting and incident response service. CISA officials said that is \u201cnot enough staff to respond to significant attacks impacting OT systems in multiple locations at the same time.\u201d<\/p>\n<p>Staffing shortcomings also appeared to manifest in the agency\u2019s information-sharing capabilities. In reviewing documentation from seven federal agencies that routinely collaborate with CISA \u2014 the Department of Defense\u2019s Defense Cyber Crime Center; the National Security Agency; the Department of Energy\u2019s Office of Cybersecurity, Energy Security, and Emergency Response; the Transportation Security Administration; the U.S. Coast Guard; the Federal<\/p>\n<p>Railroad Administration; and the Pipeline and Hazardous Materials Safety Administration \u2014 the GAO found positive outcomes from six, but notable challenges from four.<\/p>\n<p>Three agencies \u2014 CESER, FRA and USCG \u2014 said CISA has been \u201cineffectively sharing information with critical infrastructure owners and operators,\u201d while PHMSA said CISA is falling short on a process to inform those stakeholders about cyber threats, the report said. <\/p>\n<p>\u201cPHMSA officials told us that they would like CISA to leverage their expertise and daily interaction with the sector to help increase communication of threats to all pipeline operators and their OT systems,\u201d the GAO stated.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The GAO offered four recommendations to the director of CISA: \u201cmeasure customer service for its OT products and services, perform effective workforce planning for OT staff, issue guidance to the sector risk management agencies on how to update their plans for coordinating on critical infrastructure issues, and develop a policy on agreements with sector risk management agencies with respect to collaboration.\u201d <\/p>\n<p>The Department of Homeland Security concurred with the GAO\u2019s recommendations for CISA.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.519313304721\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says-1.jpg?w=640&ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-workforce-ot-risks-gao-report\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA needs better workforce planning to handle operational technology risks,<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1662,78,452,1663,1664,1292,874,1665,812,1666],"tags":[1667,86,454,1668,1669,1298,876,1670,813,1671],"class_list":["post-2678","post","type-post","status-publish","format-standard","hentry","category-ceser","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-defense-cyber-crime-center","category-federal-railroad-administration","category-gao","category-operational-technology","category-phmsa","category-transportation-security-administration-tsa","category-u-s-coast-guard","tag-ceser","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-defense-cyber-crime-center","tag-federal-railroad-administration","tag-gao","tag-operational-technology","tag-phmsa","tag-transportation-security-administration-tsa","tag-u-s-coast-guard"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ceser\/\" rel=\"category tag\">CESER<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/defense-cyber-crime-center\/\" rel=\"category tag\">Defense Cyber Crime Center<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/federal-railroad-administration\/\" rel=\"category tag\">Federal Railroad Administration<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/gao\/\" rel=\"category tag\">GAO<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/operational-technology\/\" rel=\"category tag\">operational technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phmsa\/\" rel=\"category tag\">PHMSA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/transportation-security-administration-tsa\/\" rel=\"category tag\">Transportation Security Administration (TSA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/u-s-coast-guard\/\" rel=\"category tag\">U.S. Coast Guard<\/a>","tag_info":"U.S. Coast Guard","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2678","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2678"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2678\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2678,"date":"2024-03-07T15:52:44","date_gmt":"2024-03-07T21:52:44","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=79675"},"modified":"2024-03-07T15:52:44","modified_gmt":"2024-03-07T21:52:44","slug":"cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/03\/07\/cisa-needs-better-workforce-planning-to-handle-operational-technology-risks-gao-says\/","title":{"rendered":"CISA needs better workforce planning to handle operational technology risks, GAO says"},"content":{"rendered":"