The Cybersecurity and Infrastructure Security Agency (CISA) does not effectively coordinate and share best practices to enhance security across the commercial facilities sector. Specifically, CISA does not coordinate within DHS on security assessments to prevent potential overlap, does not always ensure completion of required After Action Reports to share best practices with the commercial facilities sector, and does not adequately inform all commercial facility owners and operators of available DHS resources. This occurred because CISA does not have comprehensive policies and procedures to support its role as the commercial facilities’ Sector-Specific Agency (SSA). Without such policies and procedures, CISA cannot effectively fulfill its SSA responsibilities and limits its ability to measure the Department’s progress toward accomplishing its sector-specific objectives. CISA may also be missing opportunities to help commercial facility owners and operators identify threats and mitigate risks, leaving the commercial facilities sector vulnerable to terrorist attacks and physical threats that may cause serious damage and loss of life. We made three recommendations to improve CISA’s coordination and outreach to safeguard the commercial facilities sector. CISA concurred with all three recommendations.
- Executive SummaryReport NumberOIG-20-37Issue DateDocument FileDHS AgencyOversight AreaFiscal Year2020