The Evolution of Cybersecurity: Community Lifelines and National Critical Functions

In honor of National Cyber Security Awareness Month,  Hagerty Consulting is reflecting on the evolution of cybersecurity planning. In this post, we ask readers to consider recent evolutions in both emergency management and cybersecurity by examining the Cybersecurity and Infrastructure Security Agency’s (CISA) National Critical Functions (NCF) and the Federal Emergency Management Agency’s (FEMA) Community Lifelines. Our planning experience underscores the importance of utilizing both emergency management and information technology (IT) concepts to enhance an organization’s cybersecurity, especially when both groups are expected to support response. For this reason, we asked ourselves, can these two constructs work together?

WHAT ARE THE NATIONAL CRITICAL FUNCTIONS AND HOW DO THEY CONNECT TO THE COMMUNITY LIFELINES?

The NCFs offer a risk management framework for cybersecurity incidents. The 55 NCFs that make up this construct include public- and private-sector functions that are vital to national security. For example, they protect the security and anonymity of the vote in a national election. The disruption, corruption, or dysfunction of these functions would have a debilitating effect on national security, economic security, and/or public health and safety. Each of the 55 NCFs fall under one of four governing areas – supply, distribute, manage, and connect – according to their function. These four governing areas and the NCFs facilitate effective communication, foster ongoing collaboration between functions, and provide resources during a cyber incident. Similarly, FEMA’s Community Lifelines help decisionmakers identify and communicate complex interdependencies, enhance situational awareness, and can help inform response priorities. Both concepts allow communities and organizations to analyze and understand their risk and readiness, in order to perform essential actions that guarantee that community functions are fully operational at the time of an incident.

Figure 1: Community Lifelines

USING THE COMMUNITY LIFELINES AND NATIONAL CRITICAL FUNCTIONS TOGETHER

Hagerty recommends using CISA’s NCFs and FEMA’s Community Lifelines in the following ways:

• To Enhance Planning Operations: Many facets of the Community Lifelines are reliant on IT infrastructure, making the NCFs an integral part of the Lifeline framework, and vice versa. Therefore, NCFs should be implemented in conjunction with the Community Lifelines concept to enhance an organization’s planning efforts and capabilities. Hagerty recommends that cybersecurity plans consider the NCFs under each of the seven Community Lifelines to better understand their interdependencies. Figure 1 shows how the two frameworks connect.
• To Better Understand Vulnerabilities: Cybersecurity plans should consider CISA and FEMA’s approach to assessing potential risks and vulnerabilities within an organization in order: to provide a thorough analysis of an organization’s ability to function during response, identify potential issues before an incident, and better safeguard the stability of operation. Together, they can be used to streamline potentially redundant or disjointed coordination efforts across all levels of the response operation, bringing together emergency management and IT practices.
• To Make Critical Infrastructure Resilient: Finally, when used together, these frameworks provide a functional and practical approach to hardening systems and making critical infrastructure resilient since both constructs offer an approach to assess response capacity before an event, not just during or after an event.

ADDITIONAL RESOURCES

The following federal resources are intended to support your organization become more resilient to cyber incidents.

• Department of Homeland Security’s Think. Connect. Toolkit
• Community Lifelines Implementation Toolkit
• CISA’s Reducing National Risk Overview

Hagerty is prepared to help your organization leverage the National Critical Functions and Community Lifelines to enhance your organization’s operational capacity. Using our innovative Cyber Nexus Approach, Hagerty leverages subject matter expertise and experience planning with states across the country to bring diverse stakeholders together and build organized, effective cyber operations. To learn more about our cybersecurity services, contact development@hagertyconsulting.com.