What is the CISA? How the new federal agency protects critical infrastructure from cyber threats

CISA definition

The Cybersecurity and Infrastructure Security Agency (CISA) is a new federal agency, created to protect the nation’s critical infrastructure.

It was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, which was signed into law on November 16, 2018. That legislation “rebranded” the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency and transferred resources and responsibilities of NPPD to the newly created agency. Prior to the passage of the bill, NPPD managed almost all of DHS’s cybersecurity-related matters.

CISA is responsible for protecting the nation’s critical infrastructure from physical and cyber threats. Its mission is to “build the national capacity to defend against cyber attacks” and to work “with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the .gov networks that support the essential operations of partner departments and agencies.”

Within CISA are two chief centers that are integral to the agency’s mission. The first, the National Cybersecurity and Communications Integration Center (NCCIC), provides 24×7 cyber-situational awareness, analysis, incident response and cyber-defense capabilities to the federal government; state, local, tribal and territorial governments; the private sector; and international partners. The second important center, the National Risk Management Center (NRMC) is a planning, analysis and collaboration center working to identify and address the most significant risks to the nation’s critical infrastructure.

Like NPPD before it, CISA also oversees within DHS the Federal Protective Service (FPS), the Office of Cyber and Infrastructure Analysis (OCIA), the Office of Cybersecurity & Communications (OC&C) and the Office of Infrastructure Protection (OIP). (The CISA Act of 2018, however, mandated that DHS review whether FPS, which is responsible for the physical security of nearly 10,000 federal buildings and their occupants, should be moved to another parent agency inside DHS or to another federal agency. It also moved the Office of Biometric Identity Management from NPPD to the DHS Management Directorate.)

With its creation and elevation to the status of a federal agency, CISA became an independent arm within DHS on par with the Secret Service or Federal Emergency Management Agency (FEMA). Former NPPD Under Secretary Christopher Krebs is CISA’s first director. Matthew Travis, former deputy undersecretary at NPPD, is the new agency’s first deputy director. The FY 2020 President’s Budget proposes spending $3.17 billion for CISA, which includes $1.6 billion in budget authority for fees collected from federal agencies in support of the Federal Protective Service.

History of CISA

Following the massive breach of the Office of Personnel Management in 2015, when sensitive personal data on 22 million current and former federal employees was stolen by suspected Chinese hackers, it became increasingly clear to many experts that the DHS was not in a strong position to adequately create a national response to the growing threat of foreign attackers infiltrating critical resources.  As more foreign incursions into U.S. IT infrastructure and other forms of cybersecurity attacks ramped up, leading experts began to call for the creation of a new agency better situated to tackle the growing problems.

“The department’s cybersecurity strategy was submitted over a year late, the organization lacks a sufficient ‘brand’ to recruit and retain top talent, and many companies have proven reluctant to collaborate with it,” General David Petraeus, U.S. Army (Ret.) and Kiran Sridhar said in Politico in 2018 about the need for a national cybersecurity agency.

DHS’s cybersecurity strategy, the DHS Cybersecurity Strategy, unveiled in May 2018, presented a strategic framework to execute the government’s cybersecurity responsibilities during the following five years. Both the strategy and the earlier Presidential Policy Directive 21- Critical Infrastructure Security and Resilience emphasized an integrated approach to managing risk, lending greater credence to the creation of a separate cybersecurity agency.

That integrated approach is what CISA was formed to foster, CISA chief Krebs has emphasized. When NPPD was established,  it was a “conglomeration of disparate security programs within DHS that didn’t fit neatly within TSA, or FEMA, or other established legacy agencies,” he said at an event in 2018. So over time as the threat landscape, particularly from a cybersecurity perspective, has evolved and the department’s role has been clarified and strengthened by Congress, it really became clear that the department needed a single voice, a single agency or organization who was able to carry out the [DHS] secretary’s critical infrastructure protection and cybersecurity authorities.”

Aside from the need for an integrated approach to the nation’s cybersecurity threats, CISA was created to solve what security professionals and government officials frequently referred to as a “branding” problem DHS faced with NPPD. The former NPPD’s name was “incomprehensible and unpronounceable” according to Krebs, making the group’s activities less recognizable among key stakeholders.

“I’m not a grammar snob, but when you look at that construction, it’s problematic on a number of fronts,” CISA’s Travis said at a conference in August 2018. “One, cyber’s not in the name. Two, if they just called us the National Protection Directorate, that would be fine. That covers what we do. And if they called it the National Protection Programs Directorate, that’s fine. It’s a little wordy, but we do run programs. But it’s the National Protection and Programs Directorate. It sounds like we do national protection over here and we’re doing some interesting stuff over here that’s not related.”

CISA’s early days

The agency is currently in the process of formulating a working plan to tackle a wide range of responsibilities and establish the integrated approach to cybersecurity it was founded to develop. “I’m looking at the next year and really the next two-years. We give ourselves two years to mature the organization and have it be the CISA we known it can be,” CISA’s Krebs tells CSO in an interview.

The agency is currently engaged in listening sessions with private sector and government stakeholders as it creates organizational and mission plans. Krebs has widely outlined five discrete lines of effort that have “mission opportunity” but also “mission risk,” including tackling supply chain threats to upcoming 5G networks, improving election security, bolstering government network security, protecting industrial control systems and still keeping an eye on physical security.

Even as it develops its long-term strategic goals, CISA has already launched a number of initiatives. The agency, along with industry members of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, kicked off efforts to identify and develop collaborative solutions to global supply chain risk, a timely topic given the Trump Administration’s push to bar Chinese telecom and tech giants from gaining a foothold in telecom and other critical infrastructure due to fears that Chinese tech suppliers embed surveillance technologies in their products at the behest of the Chinese government. CISA is also working on election security issues, having established task forces that bring together a broad set of resources, including temporary detailees from other parts of DHS, to quickly address this threat ahead of the 2020 elections.

In late April 2019, CISA released the inaugural set of National Critical Functions, which identifies functions so critical to the government and private sector, such as electricity distribution or internet service, that any disruption in them could cause debilitating effects on security, national economic security, national public health or safety. CISA has also emerged as a key player in implementing an Executive Order directing the federal government to take critical steps to strengthen and bolster America’s cybersecurity workforce given the chronic workforce shortages the cybersecurity sector faces.

More recently, CISA’s Krebs used his agency’s new-found visibility to warn the country that Iran is stepping up its malicious cyber activity and seeks to do more than steal data and money by launching destructive “wiper attacks” that can actively destroy networks.

Collaboration with critical infrastructure owners and operators

Because the private sector owns and operates most of the critical infrastructure in the U.S., CISA sees working with critical infrastructure owners and operators as central to its mission. The agency worked closely with industry partners in mapping out the Critical Functions list because, as an agency spokesperson tells CSO, “Neither government nor the private sector alone has the knowledge, authority, or resources to do it. Public-private partnerships are the foundation for effective critical infrastructure security and resilience strategies, and timely, trusted information sharing among stakeholders is essential to the security of the nation’s critical infrastructure.”

Information sharing with industry is also key to other CISA programs such as the Automated Indicator Sharing (AIS) program, which is an early warning system that allows a company or federal agency to share information in near real-time after an attempted compromise has been observed. The goal of AIS is to allow industry and government partners to protect themselves before an intrusion occurs.

CISA says that since March 2016 (a timeframe that includes its previous incarnation as NPPD), it has shared more than six million unique cyber threat indicators with partners. The agency currently has more than 250 organizations connected to its AIS server and more than 4,000 third-party AIS connections, a CISA spokesperson says.

CISA also helps organizations better manage cybersecurity risks by helping them navigate the use the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), along with other agency best practices. Finally, CISA encourages CISOs to be engaged with and join their respective Information Sharing and Analysis Centers (ISACs) to facilitate information exchange within their sectors.