www.oig.dhs.gov
6
OIG-24-09
OFFICE OF INSPECTOR GENERAL
U.S. Department of Homeland Security
The inconsistent collaboration, as cited by the EPA official, occurred because CISA had not
established formal mechanisms for its interactions with EPA, including (1) a written
Memorandum of Understanding with EPA and (2) internal policies and procedures regarding its
collaboration. Specifically, CISA had not documented its relationship with EPA in the form of a
written Memorandum of Understanding that defined each agency’s roles and responsibilities
and the mechanisms for collaboration. According to the U.S. Government Accountability Office
(GAO), agencies can strengthen their commitment to work collaboratively by articulating their
agreements in formal documents, such as Memorandums of Understanding. Additionally, CISA
did not have established policies and processes for its Water Sector Liaison’s role, how divisions
should coordinate their communication with EPA, when CISA should collaborate with EPA to
share information with the Water Sector, what information should be shared, or how often
information should be shared. CISA’s former acting Water Sector Liaison said CISA used PPD-21
and the CISA Act as guiding documents and authorities to define the Water Sector Liaison role.
However, we found that PPD-21 and the CISA Act only broadly define the role and do not
prescribe a process for CISA to support the SRMA, the frequency of collaboration, or what
information should be shared.
We also determined there was ineffective collaboration between CISA and other Water Sector
stakeholders, such as the SCC. Executive Order 13636
Improving Critical Infrastructure
Cybersecurity
8
directs DHS to establish a consultative process to coordinate improvements to
critical infrastructure cybersecurity. Executive Order 13636 expressly states DHS should consider
the advice of the SCC, critical infrastructure owners, and other entities, in addition to the SRMA.
The
Water and Wastewater Systems Sector-Specific Plan 2015
9
recognizes the Water SCC as a key
link between Federal Government agencies and Water Sector owners and operators.
Based on our meetings with the Water SCC, a number of specific concerns were raised by Water
SCC officials, such as:
• Direct Engagement with CISA: Officials said they would benefit from increased, direct
engagement with CISA. One Water SCC official indicated the relationship between CISA
and EPA led to filtering of messages from CISA to the Water SCC and vice versa. In the
official’s view, this filtering of information resulted in CISA not necessarily receiving the
most appropriate responses from the Water SCC. A CISA official acknowledged that CISA
did not have consistent communication with the Water SCC and said the Water SCC was
supposed to report to EPA, but Water SCC officials noted a lack of clear guidance
8
Executive Order 13636 Improving Critical Infrastructure Cybersecurity
, The White House, Office of the Press
Secretary, February 12, 2013.
9
The Water and Wastewater Systems Sector-Specific Plan 2015 addresses risk-based critical infrastructure
protection strategies for drinking water and wastewater utilities and describes processes and activities to enhance
the security and resilience of the sector’s infrastructure.