1. C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
NATIONAL CRITICAL FUNCTIONS
OVERVIEW
Matthew Travis, Deputy Director, CISA
December 3, 2019
2. Matthew Travis, Deputy Director, CISA
December 3, 2019
Critical Infrastructure Sector Construct
1
Critical Infrastructure defined: “Assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or
destruction would have a debilitating effect on national security, economic security, national public health or safety, or any combination thereof.”
3. Matthew Travis, Deputy Director, CISA
December 3, 2019
Risk Landscape Requires Evolved Response
1. Cross-sector reality. Critical infrastructure risk management,
particularly around cybersecurity, is increasingly cross-sector in
nature. A silo-ed approach is no longer sufficient.
2. Our understanding of risk must evolve from a static
asset/organization view to a more holistic approach that focuses on
functions and services.
3. Understanding and mitigating nation-level, cross-sector risks
requires a better approach to data and analysis than traditional
approaches.
4. Broadening the stakeholder community involved in critical
infrastructure risk management to better engage non-traditional
groups.
2
4. Matthew Travis, Deputy Director, CISA
December 3, 2019
National Critical Functions (NCF) –
A Necessary Risk Management Evolution
“National Critical Functions” are the functions of
government and the private sector so vital to the United
States that their disruption, corruption, or dysfunction
would have a debilitating effect on security, national
economic security, national public health or safety, or
any combination thereof.
3
PUBLISH NCFs PRIORITIZED
FUNCTIONS
RISK ANALYSIS GAP ANALYSIS INITIATIVES
5. TLP:WHITE
Matthew Travis, Deputy Director, CISA
December 3, 2019
National Critical Functions Set
5
CONNECT DISTRIBUTE MANAGE SUPPLY
Operate Core Network
Provide Cable Access Network
Services
Provide Internet Based Content,
Information, and Communication
Services
Provide Internet Routing, Access
and Connection Services
Provide Positioning, Navigation,
and Timing Services
Provide Radio Broadcast Access
Network Services
Provide Satellite Access Network
Services
Provide Wireless Access Network
Services
Provide Wireline Access Network
Services
Distribute Electricity
Maintain Supply Chains
Transmit Electricity
Transport Cargo and Passengers
by Air
Transport Cargo and Passengers
by Rail
Transport Cargo and Passengers
by Road
Transport Cargo and Passengers
by Vessel
Transport Materials by Pipeline
Transport Passengers by Mass
Transit
Conduct Elections
Develop and Maintain Public Works
and Services
Educate and Train
Enforce Law
Maintain Access to Medical Records
Manage Hazardous Materials
Manage Wastewater
Operate Government
Perform Cyber Incident
Management Capabilities
Prepare For and Manage Emergencies
Preserve Constitutional Rights
Protect Sensitive Information
Provide and Maintain Infrastructure
Provide Capital Markets and
Investment Activities
Provide Consumer and Commercial
Banking Services
Provide Funding and Liquidity Services
Provide Identity Management and
Associated Trust Support Services
Provide Insurance Services
Provide Medical Care
Provide Payment, Clearing, and
Settlement Services
Provide Public Safety
Provide Wholesale Funding
Store Fuel and Maintain Reserves
Support Community Health
Exploration and Extraction Of
Fuels
Fuel Refining and Processing
Fuels
Generate Electricity
Manufacture Equipment
Produce and Provide Agricultural
Products and Services
Produce and Provide Human and
Animal Food Products and
Services
Produce Chemicals
Provide Metals and Materials
Provide Housing
Provide Information Technology
Products and Services
Provide Materiel and Operational
Support to Defense
Research and Development
Supply Water
6. TLP:WHITE
Matthew Travis, Deputy Director, CISA
December 3, 2019
Building a Functional Construct: Prioritization
5
DRAFT//PRE-DECISIONAL
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Benefits
• Sectors explained how they interpret their contribution to the NCFs
• Focused sessions reinforced NRMC commitment to and reliance on the partnership
• Sectors were able to learn more about each of the NCFs
• Sectors were able to offer constructive feedback on the process
7. TLP:WHITE
Matthew Travis, Deputy Director, CISA
December 3, 2019
Building a Functional Construct: Prioritization
6
National Critical
Function
Severity of Disruption Prioritization Risk Management
Capability
Comment
If your sector lost this
function, what would be the
severity of disruption?
Please rank the NCFs in
terms of their highest priority
(1 = Highest Priority)
Rate the current level of risk
management capability
associated with managing
the risk of losing this NCF
Please use this area to
provide additional comments,
if necessary.
1-5 Likert Scale Number 1-5 Likert Scale Open Text
Example: NCF 12 5-Very High 1-end of list 2-Assesses risk on an ad
hoc basis
Open Text
Not Real Data-For Illustrative Purposes Only
Generate Electricity
Manufacture Equipment
Supply Water
Maintain Supply Chains
Benefits
Information collected across will help NRMC understand the current level of prioritization, perceived
severity of disruption, and perceived risk management capability across the 16 critical infrastructure
sectors.
NCFs that sectors reported they rely upon
8. TLP:WHITE
To learn more about
National Critical Functions, visit
www.dhs.gov/cisa/national-critical-functions
Editor's Notes
Legacy approach to critical infrastructure security and resilience in America
Focused on sectors
Use coordination councils organized around each sector
But the modern critical infrastructure risk landscape does not fit neatly into a sector construct
In April 2019, DHS published a set of ncfs
Themes: connect…
Break down sectors into their functions
Capture functions that “hide” in the sector organization (functions that everyone does)
Capture functions that no one “does” but are important to America
Captures activities for one reason or another do not fit into a sector construct
Examples:
Process:
Publication
Prioritization
Risk Analysis
Process:
Publication
Prioritization
Risk Analysis
In closing….
Commonality and drew inspiration from the vital functions of society in Finland
Hope this approach enables an advance on how we do risk management in the CISR space
National Critical Functions is