The Cybersecurity and Infrastructure Security Agency (CISA) National Risk Management Center (NRMC) plays a crucial role in the protection of the nation’s critical infrastructure through comprehensive cross-sector analysis. This methodical approach allows CISA to identify, analyze, and mitigate a broad spectrum of risks, bolstering the resilience and security of the United States’ essential services and assets. This article explores the importance of the NRMC’s strategies in risk management, highlighting National Critical Functions (NCFs) for cross-sector risk analysis and examining various methodologies to demonstrate NRMC’s thorough approach to national security.
Protecting critical infrastructure is an important way that all nations protect and care for their citizens. Risks to these assets and systems can threaten public health and safety, the economy, and national security. Today’s critical infrastructure is more complex, interconnected, and digitally dependent than ever and the assessment of critical infrastructure risk in this environment requires innovative analytic approaches as well as collaboration with a broad set of stakeholders working together towards the goal of risk mitigation.
Unraveling the physical and virtual dependencies in critical infrastructure requires a structured examination of what we need critical infrastructure to do for the American People. CISA  worked with the critical infrastructure community to develop a set of National Critical Functions (NCFs) to guide the assessment and management of critical infrastructure, in particular to strengthen our understanding of dependencies, cyber risk and resilience. Using NCFs enables the NRMC to prioritize efforts in safeguarding functions essential to national resilience. This approach not only streamlines protective measures but also enhances situational awareness of sectoral interdependencies, critical for proactive risk management.
Some of these functions, like generating electricity, fall clearly in the responsibility of one of the 16  Critical Infrastructure Sectors while others such as protecting sensitive information are performed across the sectors with a range of physical and digital tools. Using the NCFs, we can better understand how risk concentrates in and propagates through the assets and systems that comprise critical infrastructure and how to invest in security and resilience.
CISA’s NRMC developed maps of how each function is executed including both steps in performing the functions as well as the physical assets where those functions are performed. That information is used to map the dependencies and interdependencies among the functions and the physical infrastructure to give us a fulsome understanding of how failures can cascade through systems. We capture this complex information in tools in our STAR platform – Suite of Tools for the Analysis of Risk (STAR) . Combining STAR’s capabilities with advanced simulation tools enables the NRMC to model complex scenarios, simulate potential disruptions, and understand the cascading effects of various threats. This integrated approach allows for the anticipation of risks and the strategic development of resilience measures.
In addition to leveraging NCFs, the NRMC employs a variety of strategies to address the complex nature of threats:
- Risk Assessments: Tailored assessments address each sector’s unique vulnerabilities and threats.
- Integrated Threat Intelligence: Intelligence from diverse sources enhances the NRMC’s ability to forecast and respond to emerging threats.
- Public-Private Partnerships: Collaborations with industry stakeholders ensure a unified approach to threat mitigation, leveraging shared intelligence and resources for enhanced security.
- Emerging Risk Identification: The NRMC also focuses on identifying and mitigating emerging risks, such as those posed by novel technologies or the evolving nature of cyber threats, which could have unforeseen impacts across critical infrastructure sectors.
In areas where we know there is unmanaged cross-sector critical infrastructure risk, CISA NRMC has initiatives to facilitate risk identification, assessment and mitigation. A few of those areas are called out below:
- Information and Communications Technology (ICT) Supply Chain: Vulnerabilities in the global ICT supply chain, from cybersecurity threats to geopolitical tensions, can disrupt multiple sectors by affecting communication channels and data flows.
- Space, Space Weather, and PNT Services: The dependency on space-based assets and accurate Positioning, Navigation, and Timing (PNT) services means that space weather events or disruptions can have wide-reaching effects across various sectors, from transportation to telecommunications and beyond.
- Artificial Intelligence (AI): The integration of AI technologies introduces risks of AI-driven attacks or the exploitation of AI vulnerabilities, affecting decision-making algorithms and critical operations across numerous sectors.
A theme that runs through CISA’s risk work is prioritization. The scope and scale of infrastructure and the risk environment creates a constant need to prioritize ensuring strategic resource allocation to protect critical national assets. The NRMC performs prioritization that supports both operational and strategic decisions. On the operational side, CISA prioritizes entities for outreach concerning cyber intrusions or vulnerabilities and identifies priority infrastructure during natural hazard events like hurricanes and wildfires.
The NRMC’s strategic and multi-dimensional approach to risk management is indispensable in protecting the nation’s critical infrastructure against today’s complex threat landscape. By leveraging National Critical Functions and incorporating diverse methodologies, along with sophisticated analytical and modeling tools, the NRMC enables robust protection for the nation’s critical infrastructure.