The Cybersecurity and Infrastructure Security Agency (CISA) cannot demonstrate how its oversight has improved Dams Sector security and resilience. We attribute this to CISA’s inadequate management of Dams Sector activities. Specifically, CISA has not:coordinated or tracked its Dams Sector activities;updated overarching national critical infrastructure or Dams Sector plans; orcollected and evaluated performance information on Dams Sector activities.In addition, CISA does not consistently provide information to the Federal Emergency Management Agency (FEMA) to help ensure FEMA’s assistance addresses the most pressing needs of the Dams Sector. CISA and FEMA also do not coordinate their flood mapping information. Finally, CISA does not effectively use the Homeland Security Information Network Critical Infrastructure Dams Portal to provide external Dams Sector stakeholders with critical information.As a result, CISA could improve its oversight, coordination, and communication to better support the Dams Sector security and resilience. These changes would enhance the Sector’s ability to adapt to the risk environment and decrease the likelihood of future dam failures and flooding events.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend the Director, Cybersecurity and Infrastructure Security Agency: Recommendation 1: Update the Dams Sector-Specific Plan as required, ensuring alignment with the updated National Infrastructure Protection Plan currently under development. | |||||
| 2 | No | $0 | $0 | ||
| We recommend the Director, Cybersecurity and Infrastructure Security Agency: Formalize CISA's organizational structure to clarify roles, responsibilities, coordination processes, and reporting procedures across all divisions performing activities relating to CISA's role as the Sector-Specific Agency for the Dams Sector. | |||||
| 3 | No | $0 | $0 | ||
| We recommend the Director, Cybersecurity and Infrastructure Security Agency: Establish policies, procedures, and performance metrics to help ensure CISA divisions consistently assess the impact of all programs and activities relating to CISA's role as the Sector-Specific Agency for the Dams Sector, and that CISA assess their effectiveness in the role of Sector-Specific Agency for the Dams Sector. | |||||
| 4 | No | $0 | $0 | ||
| We recommend the Director, Cybersecurity and Infrastructure Security Agency: Strengthen coordination with FEMA by establishing Memorandums of Understanding, Interagency Agreements, or other documented strategies to formally define CISA's and FEMA's roles and responsibilities for information sharing and analytical collaboration for grant decision-making related to safety, security, and resilience of dams, as well as the use and applicability of numerical simulation models, flood inundation tools, and supporting geospatial mapping capabilities to support emergency preparedness and incident response. | |||||
| 5 | No | $0 | $0 | ||
| We recommend the Director, Cybersecurity and Infrastructure Security Agency: Develop and implement a strategy for Dams Sector stakeholders to use the HSIN-CI Dams Portal to its fullest potential. CISA should develop metrics on usage, performance, and training needs; update the HSIN-CI Dams Portal with clear instructions; and encourage sharing of lessons learned, after action reports, and best practices among stakeholders. | |||||
