Why CISA Won’t Release ‘Public’ Comments on Upcoming Performance Goals

The swearing in of new Cybersecurity and Infrastructure Security Agency director Jen Easterly at CISA Headquarters in Arlington, VA.

The swearing in of new Cybersecurity and Infrastructure Security Agency director Jen Easterly at CISA Headquarters in Arlington, VA. Benjamin Applebaum/DHS

CISA officials often stress their non-regulatory role, but Congress keeps trying to give the agency regulatory responsibilities.

The Cybersecurity and Infrastructure Security Agency’s promise to conceal stakeholders’ feedback on what should function as baseline security measures for critical infrastructure companies is in tension with its commitment to transparency.

“It would be consistent with CISA's commitment to transparency to make the comments public,” Suzanne Spaulding, a former chief of the Department of Homeland Security agency that would become CISA, told Nextgov. “It could be tricky, however, if they didn't make clear at the outset that the comments would be public."

Spaulding, now a senior homeland security adviser and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies, was referring to comments CISA sought from stakeholders in shaping goals for the companies to meet in order to defend their industrial control systems and maintain essential services during a cyberattack.  

CISA didn’t neglect to disclose at the outset that comments collected on the performance goals would be public, it deliberately precluded the comments’ release. The agency’s webpage on the initiative notes that engagement with relevant agencies and private-sector stakeholders is happening through the Critical Partnership Advisory Council. Following the attacks of Sept. 11, 2001, Congress authorized CIPACs at the Department of Homeland Security—where CISA is housed—to facilitate frank and open input from companies about what is needed to protect the homeland from attacks by exempting such meetings from transparency rules that govern other federal advisory committees.

The goals won’t necessarily be mandatory for industry   

Unlike the process under which CISA is soliciting comments from the public for implementation of the Cyber Incident Reporting for Critical Infrastructure Act, CISA’s consideration of stakeholder comments on the cybersecurity performance goals is not for a direct application of regulatory authority. 

“Our request for written input was an information solicitation and was not governed by formal administrative procedures like a [Request for Information],” according to a CISA spokesperson. “Given that, it would be unusual to release the written comments, given both the voluntary nature of the [Cybersecurity Performance Goals] and our intent to continue requesting feedback even after the CPGs are released this month.”

But while the July 2021 national security memo instructing CISA to establish the performance goals does not itself mandate private-sector adherence to them, agency leaders and lawmakers are considering how the goals might be used as the basis for mandates down the line, most immediately for federal contractors.   

The national security memo allows CISA, working with relevant agencies governing specific sectors in setting the goals, to “include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our nation.” And it says the performance goals “should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services.”  

During a Sept. 15 hearing of the House Homeland Security Committee, CISA Executive Assistant Director Eric Goldstein said the agency is also aligning the performance goals with software security requirements for federal agencies from the Office of Management and Budget. Those requirements were issued under Executive Order 14028, the administration’s primary response last May to SolarWinds, Colonial Pipeline and the other major hacks of 2021. 

Lawmakers highlight need for “untapped” feedback, transparency 

Members of Congress—along with senior members of the administration seeking to embolden agencies’ use of their regulatory authorities—have pushed for CISA to produce similar “performance goals” in legislation that has been included in the House-passed National Defense Authorization Act. That legislation also calls for an interagency council led by CISA Director Jen Easterly and Office of the National Cyber Director Chris Inglis to assign federal agencies for the management of various critical-infrastructure sectors.

“I believe we need to revamp our playbook for securing [operational technology], and the common baseline performance goals that CISA is developing might create a foundation to do just that, but only if it gets it right,” Rep. Evette Clarke, D-N.Y., chair of the Homeland Security Committee’s panel on cybersecurity, said during the Sept.15 hearing.

“What mechanisms does CISA have in place to engage with stakeholders and solicit feedback, and is CISA proactively seeking new, untapped stakeholder groups who may have novel insight to share?” she asked Goldstein during the recent hearing.

Goldstein touted the agency’s efforts in response: “We have gone through two rounds of robust stakeholder feedback, both of which included public review. We received, remarkably, over 2,000 comments on the cybersecurity performance goals and held a variety of workshops, including both for sectoral partners and the general public, as well as listening sessions across our stakeholder groups.”

Those rounds of outreach also intentionally sought unique perspectives outside the usual stakeholders CISA regularly talks to, Goldstein added.

“We reached out uniquely to our international partners, to academia to researchers to owner operators, device manufacturers, integrators, entities across the spectrum,” he said.

Other lawmakers considering an update to the government’s role in defending the country from cyberattacks also highlighted a lack of insight into the result of the voluntary approach pursued in Biden’s ICS initiative, which involved intensely focusing on a particular sector for multiple months. 

“I’ve read the press releases about the 100-day cybersecurity sprints but it seems like there's no real transparency around them,” Rep. Ritchie Torres, D-N.Y., told Goldstein during the hearing. “There has been no reporting regarding the results of these sprints. Do you intend to report the failures and successes of these sprint's or the lessons learned from them?”

Goldstein deferred to the White House for reporting on the initiative. On Tuesday, the White House pointed to its call for the performance goals in declaring its cybersecurity efforts a success. 

CISA does have experience regulating cybersecurity

In discussions on the agency’s role, CISA leaders—including Director Jen Easterly—have stressed their non-regulatory approach to managing cybersecurity, but the agency can and does exercise significant regulatory powers. 

Lawmakers have discussed the potential need to appoint an agency for managing cybersecurity risk presented by providers of “commercial” information communications technology, including powerful cloud service providers and sellers of other software products and services. Such “commercial off-the-shelf,” or COTS, items were exempt from cybersecurity management under the 2013 presidential policy directive that President Joe Biden based his national security memo on. And CISA’s performance goals could have a more immediate effect on the federal government’s cybersecurity through inclusion in agencies’ procurement requirements, based on their implementation of the executive order on secure software development.

In contrast to the hazy world of cloud service providers and other software products and services that might be considered critical for maintaining essential services, CISA has clear regulatory authority over the chemical sector. And Spaulding and others, including the Government Accountability Office, have pointed to the system CISA uses there as a potential model to follow in areas where the responsibility for managing cybersecurity risk is unclear, or inactive. 

Easterly herself noted how impressed she was by the standards used in the chemical sector for their early consideration of how to mitigate risks specifically presented by industrial control systems, which a hacker could manipulate with potentially catastrophic physical consequences. That danger grew over the course of the pandemic, as workers increasingly relied on remote access for managing such systems, and information technology and operational technology became further intertwined.  

How stakeholder feedback has already changed the performance goals

Last September, on deadline, CISA published its first draft of cross-sector performance goals for protecting the industrial control systems running critical infrastructure. The goals referenced the Chemical Facilities Anti-Terrorism Standards, or CFATS, in addition to previous guidance from CISA and the National Institute of Standards and Technology. The draft listed “sample evidence of implementation” for “baseline objectives” in goals for nine areas, including “risk management and cybersecurity governance,” and “architecture and design.”     

Whether an “organization employs firewalls, access control lists and one-way communication diodes,” could serve as evidence it tried to establish and protect a boundary around the control systems, for example, according to the initial draft of the goals.   

After an early round of comments, at the start of the year, CISA removed the first draft of the cybersecurity performance goals from its website and released version 2.0 of the draft goals. The new document does not reference the CFATs. It relies heavily on the NIST Cybersecurity Framework of 2014, and includes guidelines for organizations to establish their own metrics for determining the extent to which a list of baseline “controls” are implemented. 

The new performance goals say, in measuring segmentation of IT and OT networks, “Communications into the OT network must go through a tightly controlled and logged intermediary, such as a bastion host or a ‘jump box,’” for example.

CISA, working with NIST, was not required to solicit, or publish, stakeholder comments for establishing the performance goals. But in April, comments NIST collected for updating its 2014 framework showed USTelecom pushing for the framework to remain mappable to the performance goals CISA is ultimately responsible for producing.

In August, after CISA issued calls for feedback from the broader public on the second version of the performance goals, other trade associations for providers of commercial information and communications technology joined USTelecom in expressing their continued dissatisfaction with the cross-sector performance goals, despite the significant changes. The industry groups shared their later comments to CISA with the Washington Post.

“At a minimum, CISA should remove language like ‘must,’” read comments submitted by USTelecom, wireless communications association CTIA and NCTA–The Internet and Television Association. “Segmentation can be costly and can impede access to business or mission-critical applications. An overly rigid expectation for default segmentation would deprive organizations of the capability to manage their systems and networks.” 

The information and communications technology industry is already very well represented within CISA, forming the base of the agency’s Joint Cyber Defense Collaborative and the Information and Communications Technology Supply Chain Risk Management task force

A matter of trust

Asked to comment for this story, spokespeople for CISA said the agency’s outreach specifically for comments from the broader public consisted of two tweets and the “information solicitation” referenced above. CISA did not respond to a request following up on where the information was solicited beyond the tweets and the agency’s webpage. There was no press release requesting comments from the public. 

And during the introductory remarks of a virtual workshop the agency held specifically to receive input from the public—as opposed to the critical infrastructure operators the agency is engaging with under CIPAC authorities—Goldstein also promised ahead of time that feedback shared on the goals would not be made public.       

Regulatory agencies—some of which are risk management agencies CISA must work with to finalize sector-specific performance goals—typically cite specific comments they receive as part of a rulemaking process to support their decisions. They publish the comments they receive and explain why they agreed with some and disagreed with others on various parts of an ultimate rule, lest they be challenged in court as capricious.

On the performance goals, CISA told Nextgov the agency’s plan for keeping stakeholders engaged in a process of constantly cultivating the goals as a standard to meet is to ask for their trust.  

“CISA is committed to being as transparent as possible throughout this process, which is why we plan to release a summary of the input we have received,” an agency spokesperson said.  

The final cross-sector cybersecurity performance goals are now over two months overdue under the national security memo.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.