Report Suggests CISA Should Dominate Federal CybersecurityFederal Civilian Agencies 'Are Likely to Resist This Dramatic Change,' Report Says
A six-month study of federal government cybersecurity suggests the Department of Homeland Security could play a more prominent role in securing civilian networks, in a report that touts a "more centralized defensive strategy."
The department's role in federal cybersecurity has grown in authority and funding especially after the 2018 creation of the Cybersecurity and Infrastructure Security Agency. But CISA doesn't nearly approach the authority of its nearest military agency equivalent, a component of Cyber Command dubbed Joint Force Headquarters - Department of Defense Information Network that defends the military's roughly 15,000 networks.
Unlike their military counterparts, individual civilian agencies are responsible for their own cyber defense, a model the report says poses complications for incident reporting and response.
"Today's federal cybersecurity has been shaped as much by the threat as by bureaucracy," the Monday report says. Among the former DHS officials who sat on the task force that produced it were Suzanne Spaulding and Phillis Schneck. During their tenure as federal officials, both women heavily lobbied Congress to create CISA.
One of the recommendations made by the report is that CISA "clearly articulate its current role and what its role could be in the coming years with regard to its FCEB mission," referring to the approximately 100 federal civilian executive branch agencies. The recommendations don't outright advocate for a centralized model akin to the JFHQ-DODIN model. Federal civilian agencies "are likely to resist this dramatic change," the report says. Nor would centralization be a panacea. Undergoing that level of concentration "would take time, cause friction" and, despite increased visibility and responsiveness "might not create cost savings."
The report calls on Congress to formally authorize the Joint Collaborative Environment, a recommendation of the Cyberspace Solarium Commission. CISA officials have already said they will starting building the infrastructure for the environment, a virtual location for sharing and fusing threat information and insights.
The report also calls on Congress to give federal civilian agencies a more stable source of funding for procuring Continuous Diagnostics and Mitigation tools. Legislators might establish a working capital funds system or flexibility to carry over unused appropriations, it says.
Were Congress to be in a funding mood, it might also fund a Zero Trust Center of Excellence within CISA, the report says, acknowledging this would be a "radical approach" to increasing CISA's role in implementing zero trust architecture. A less radical approach would be for the agency to identify internal and external zero trust experts who could assist federal civilian agencies with implementation.
The report also calls for the agency to improve its marketing with the public. "CISA could benefit from simplifying its messaging," the report says. One way to do that, the authors say, would be "deleting outdated content" from its web page.