CISA needs more money and less red tape, report says

peshkov/Getty Images

Bureaucracy and dispersed authorities hinder the Cybersecurity and Infrastructure Security Agency's ability to carry out its mission as network cyber lead, according to an analysis from the Center for Strategic and International Studies.

The Cybersecurity and Infrastructure Security Agency will need more than money alone to effectively address growing cybersecurity threats to federal civilian agencies in coming years, according to a new study on the agency’s role as the operational lead for protecting the .gov domain.

“The U.S. government needs better planning frameworks and coordination mechanisms to work across the diverse mix of agencies within the federal executive branch,” reads the new, six-month-long study on CISA’s services to federal civilian agencies conducted by the Center for Strategic and International Studies.

The report, released Monday, is informed by tabletop exercises and interviews with public and private sector experts including current and former CISA officials. It includes recommendations for CISA, lawmakers and other agencies. 

CISA is the designated lead for federal network security, but it still needs to more clearly lay out its role in protecting the .gov domain, the authors argue. They'd like to see CISA commission an independent report on the agency's roles and responsibilities as the lead for federal network defense. They also recommend that Congress formally designate CISA as the agency that receives reports on major cyber incidents from federal departments and agencies.

Lawmakers also need to ensure consistent funding for programs like CISA’s Continuous Diagnostics and Mitigation, meant to give the agency visibility into federal networks, the report recommends.

CISA’s executive assistant director for cybersecurity, Eric Goldstein, said during a Monday CSIS event that his agency has seen a “very positive trend line” in terms of resources and authorities, but “we have not yet reached the end state.”

“The critical question for us is going to be, can we continue on this trajectory?” he said. “Can we continue shifting that balance of visibility, of agility, towards giving CISA the ability to help agencies understand their own risk? That's going to require ongoing, sustained investment over multiple future fiscal years.”

The CSIS report also recommends that Congress formalize and fund CISA’s Joint Collaborative Environment, a cyber information-sharing effort spanning the public and private sectors. 

The report also argues that Congress should fund an entity to collect, analyze and share cybersecurity statistics, whether that be hosted by CISA itself or outsourced to a third party.

And CISA needs to communicate how it is integrating systems as it rolls out new programs to combat the perception that such programs are not sharing information or best practices, the report states. 

Goldstein also elaborated on how CISA navigates the vast differences in agencies’ ability to address cybersecurity risks. Although all agencies should be responsible for a common set of requirements, “the question is, if an agency is reasonably unable to meet those requirements, or if it's the case that it is an imprudent use of taxpayer dollars to be separately funding … abilities across agencies, that's where CISA can come in and gap fill,” he said.