CISA Plans to Measure the Effect of Coming Standards on Industry’s Cybersecurity

Olemedia/Getty Images

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Mariam Baksh By Mariam Baksh,
Senior Correspondent

By Mariam Baksh

|

But big companies want to avoid agencies’ use of related performance goals in new regulation.

The Cybersecurity and Infrastructure Security Agency will spend the next three years measuring the success of the government’s effort to protect both publicly and privately controlled critical infrastructure from cyberattacks.

According to a national plan the agency just released to take it through 2025, CISA’s strategy will involve performance goals that were due at the end of July under a national security memorandum addressing cybersecurity for industrial control systems used in critical infrastructure. The agency is planning to issue them sometime in October—cybersecurity awareness month—CISA Executive Assistant Director for Cybersecurity Eric Goldstein said Thursday before lawmakers on the House Homeland Security Committee. 

“Where appropriate within CISA authorities, we will set standards and recommendations to guide security decisions, much like our efforts to establish performance goals and increase the cross-sector cybersecurity baseline,” the CISA plan reads.

Measuring progress in cybersecurity has been a notorious sore point from the start of targeted policymaking efforts on the issue. Going back to 2013, when the National Institute of Standards and Technology started work on its landmark cybersecurity framework for critical infrastructure, there was a push to evaluate the state of an entity's cybersecurity based on outcomes, as opposed to the extent to which they implement specific controls to defend against attacks.  

Industry has consistently relied on related arguments in trying to foil efforts—most recently an amendment Rep. Jim Langevin, D-R.I., has attached to the National Defense Authorization Act in the House—to hold them accountable to specific cybersecurity standards. 

“For several years, federal, state and local governments and industry have embraced a partnership model to defend critical infrastructure—the majority of which is owned and operated by the private sector—from nation-state and criminal cyberattacks. This approach has been largely successful,” reads a letter the U.S. Chamber of Commerce and other representatives for major companies sent to Senate committee leaders Friday opposing the amendment. “Many focus on the unfortunate cyber incidents that occur, while too few focus on the countless cyberattacks that have been avoided.”

CISA Director Jen Easterly—for one—is no longer willing to take such declarations of success as a given. During a recent meeting of her Cybersecurity Advisory Council, she noted the significance of the project the agency is about to embark on. 

“We're really going to be working hard to align our goals and objectives with specific measurements that help us reduce risk,” Easterly said, referencing the plan. “That is not a trivial endeavor. As we know, it's easy to count measures of performance. It's much more difficult to measure effectiveness and outcomes. But we think that's incredibly important given our mission, which is to lead the national effort to understand, manage and reduce risk to the critical infrastructure Americans rely on every hour of every day.”

Success of CISA’s plan is contingent on many external factors. Among those will be its ability to collect the necessary data, including through implementation of the Cyber Incident Reporting for Critical Infrastructure Act, which took effect in March. 

Some in the cybersecurity community, including Sen. Mark Warner, D-Va., have noted the lack of an appropriate enforcement mechanism for incentivizing companies to report security breaches and related information to CISA. In September 2021, Easterly—along with National Cyber Director Chris Inglis and Federal Chief Information Security Officer Chris DeRusha—all advocated financial penalties for non-compliance be included in the budding legislation, which Warner said became “toothless” after such measures were removed from an original proposal he authored. 

Since then, Easterly has more fulsomely embraced CISA's role as a place where industry can seek solace from regulatory enforcement and instead attract industry’s participation in the agency’s plan with carrots, such as access to government intelligence and resources to hunt for vulnerabilities and respond to incidents. Such exchanges are the goal for mechanisms like CISA’s Joint Cyber Defense Collaborative and other organizational structures, where the agency receives regular input from major companies across various industries.

But while last July’s national security memo calling for CISA’s performance goals says the initiative is for industry’s voluntary collaboration with government, Langevin’s amendment—along with comments from White House officials—suggest an effort to link the coming performance goals to potential regulatory efforts.

Speaking at a Center for New American Security event this summer, National Security Adviser for Cyber and Emerging Tech Anne Neuberger said the White House was working with lawmakers to embolden agencies to use their regulatory authority in managing the risks to cybersecurity in their sectors.  

Langevin’s amendment mirrors the national security memo on industrial control systems. They both say that the Department of Homeland Security should work with related agencies to develop cross-sector and sector-specific cybersecurity performance goals.

“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the documents both say, adding, “That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our nation.”

During Thursday’s House Homeland Security Committee hearing, Rep. Yvette Clarke, D-N.Y., who chairs the subcommittee on cybersecurity and innovation, asked Goldstein about the extent to which CISA had sought input on the performance goals from a range of stakeholders.

“We have gone through two rounds of robust stakeholder feedback, both of which included public review,” Goldstein said. “We received, remarkably, over 2000 comments on the cybersecurity performance goals and held a variety of workshops, including both for sectoral partners and the general public, as well as listening sessions across our stakeholder groups.”

He added that the agency wanted to broaden its scope of input beyond the stakeholders they talk to every day within CISA.

“And so we reached out uniquely to our international partners, to academia, to researchers, to owner-operators, device manufacturers, integrators, entities across the spectrum,” Goldstein said.

But only a few comments—those from the information and communications technology industry, which were critical of the draft performance goals—have been publicly reported, with other industry representatives saying CISA has been receptive about their feedback. A CISA spokesperson told Nextgov the agency does not intend to publicly release the comments they received. CISA did not provide a reason for the decision and also declined a request to provide earlier versions of the performance goals referenced on their website. 

Engagements with agencies and industry on the performance goals are happening through the Critical Infrastructure Partnership Advisory Council—established in 2006 and consistently renewed, most recently in November, 2020—and are exempt from public transparency laws, under the Homeland Security Act. But the advisory committee meeting Tuesday provided insight into how the largest companies in the economy might be hoping to influence the form they take and their potential application by sector-specific risk management agencies.

Langevin’s amendment calls for an interagency council chaired by the directors of CISA and the Office of the National Cyber Director to identify a list of no more than 200 systemically important entities for which the performance goals will be relevant and to assign agencies for their regulation, where necessary. During Tuesday’s meeting, Chairman Tom Fanning, the CEO of the electric utility Southern Company, recommended the private sector be involved in the identification of such entities and the decision-making of sector-risk management agencies. 

“We want to also engage the systemically important entities in identifying the first, second and third derivative of what creates and manifests itself as risk,” he said. And while the White House memo and the Langevin amendment both ask relevant agencies to actively explore the need for additional authorities and regulatory measures, Fanning committed to staying as close as possible to the status quo.

“We want to outline the obligations of the systemically important [entities] to meet national resiliency goals,” he said of recommendations the full committee later approved. “We commit … to optimize and make smart—based on good outcomes—existing regulation and perhaps simplify that … to harmonize regulation and to defer wherever possible to what exists already.” 

NEXT STORY: White House Announces $1B in Cyber Funding for State and Local Governments

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.