Critical Infrastructure Security, Compliance Management

House Homeland leaders don’t want CISA’s reach to exceed its grasp

Share
CISA's new incident reporting rules

As the Cybersecurity and Infrastructure Security Agency’s mission and portfolio have grown in recent years to meet the bold agendas of Congress and the White House, leaders on the House Homeland Security Committee want to ensure that as the young agency is given new powers and increased funding, it is adequately staffed and resourced to handle existing responsibilities.

First created through legislation passed during the Trump administration, CISA began with a budget of $1.68 billion. Since then, it has experienced a meteoric rise as the top cyber agency for the civilian federal government and one of the government’s chief coordinators with the private sector. As a result, the dollars flowing into the agency have nearly doubled to $2.9 billion in 2023, with the latest White House spending plan proposing an additional increase to $3.1 billion as CISA has taken on a range of new authorities, responsibilities and initiatives.

Those actions include the establishment of the Joint Cyber Defense Collaborative, doling out hundreds of millions of dollars in grant funding to state and local governments, and new regulatory authorities to issue administrative subpoenas to industry, require critical infrastructure entities to report cyberattacks, and proactively threat hunt on other federal agency networks. The agency also continues to staff up in the midst of a nationwide shortage of cybersecurity workers, while Director Jen Easterly is looking to achieve gender parity in the agency’s workforce by 2030.

In the first hearing of House Homeland’s Cyber and Infrastructure Protection Subcommittee this Congress, leadership from both parties indicated they intend to focus on ensuring the agency is appropriately structured and resourced to carry out its increased writ. Rep. Andrew Garbarino, R-N.Y., chair of the subcommittee, promised “rigorous oversight” of the agency’s expanded mission, saying “the level of funding and responsibilities CISA has taken on in recent years “would be a lot for even a large, mature department to handle.”

“As a result of the evolving threat landscape, Congress has asked a lot of CISA from day one and expected it to succeed. The reality is that CISA is still a young agency, it was created in 2018, and since then it has grown exponentially,” he said, later adding: “We need to take a step back and allow CISA to get a handle on their new responsibilities and ask pointed, productive questions about its efforts.”

Those sentiments were largely echoed by ranking Democrat on the subcommittee, Rep. Eric Swalwell, D-Calif., who noted that even before CISA took on some of these new authorities and tasks, their plate was already full with existing responsibilities to assist federal agencies in their own cybersecurity efforts, engage with private industry and critical infrastructure, help secure elections and surge resources to meet emergent, cross sector threats like SolarWinds and Log4J.

“While CISA pursues the ambitious agenda set by its leadership, it must also effectively execute its existing obligations, including to promote the great training and educational resources … that are widely utilized across industries,” he said.

New work mixed with unfinished business

In particular, Swalwell expressed concern that while the JCDC — which puts CISA, other federal agencies and members of industry in the same room to develop solutions to systemic cybersecurity problems — often gets rave reviews from industry, it still operates in a somewhat opaque fashion. Swalwell plans to introduce legislation in the coming weeks to bring more transparency around the collaborative’s work, as well as its process for adding new members.

“JCDC had existed for a year and a half without a charter or concrete criteria for membership, all of which are essential...and a number of people have asked me: ‘how do we get into JCDC?’” he said.

The notion that CISA’s plate may be fuller than its appetite — or resourcing – may be partially backed up by a pair of reports this month from the Government Accountability Office, Congress’ oversight arm over federal agencies.

One of those reports found that the National Critical Infrastructure Prioritization Program, which was created after 9/11 and is supposed to be used by CISA to prioritize support to high-value systems and assets that would cause cascading effects across American society if disrupted, is so old that it doesn’t substantively cover cybersecurity threats, CISA’s main mission.

Further, GAO investigators found that “nearly all federal and state officials we spoke with questioned the program's relevance and usefulness.” The agency completed another initiative, mapping national critical functions, and is currently working on a separate initiative called the Systemically Important Critical Infrastructure list, that are designed to address many of the same core questions.

Another report found that while CISA helps oversee and guide the work of other sector risk management agencies around protecting critical infrastructure from both physical and cyber threats, there are a number of pressing tasks — like updating Presidential Policy Directive 21 (which deals with critical infrastructure security), re-writing the National Infrastructure Protection Plan and refreshing individual plans for all 16 critical infrastructure sector — that are not being governed by clear timelines or milestones.

Tina Won Sherman, director of critical infrastructure protection and transportation security at GAO, told the panel that it’s not clear whether CISA’s maturity has kept pace with it’s growing budget, and highlighted a range of activities CISA could undertake to improve cybersecurity coordination between themselves, sector risk management agencies and the industries they cover.

“For example, CISA does not have a standardized approach for agencies to estimate costs, or make requests for resources, does not consistently measure the maturity and effectiveness of the agencies, has created but not yet filled liaison positions with them and does not obtain regular feedback on their partnerships,” said Sherman.

In a letter attached to one of the reports, the department’s GAO liaison Jim Crumpacker said the agency concurred with all six recommendations and planned to have them all completed by the end of October later this year.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.