GAO: CISA's OT Teams Inadequately Staffed

The Government Accountability Office (GAO) recently conducted a study on operational technology (OT) products and services provided by CISA and found that some teams were staffed inadequately.

CISA is the lead agency in aiding critical infrastructure organizations to determine risks in industrial control systems (ICS) as OT environments are increasingly targeted by malicious actors. It provides risk analysis, evaluation and analysis tools, best practices guidelines, security advisories, and training and exercises, among other things.

Of the 13 non-federal entities with which the GAO conducted its study, including researchers who contributed to CISA's OT advisories as well as OT vendors that contribute to a CISA collaboration group, 12 were able to identify positive experiences in CISA's OT products and services. There were, however, complaints that the staff was insufficient.

One example was that the threat hunting and incident response team was staffed with four federal employees and five contractors at the time of the study. Nine people is not enough to respond to OT cyberattacks in varying locations, according to the agency.

Similarly, in the span of four years, CISA was only able to fulfill 125 of 572 requests related to OT products and services because of its staff shortage.

Though CISA reportedly claims that it is working to address these shortages, the GAO recommends that the agency execute more effective workforce planning.