CISA’s CSAC meeting focuses on enhancing cyber operational collaboration, joint defense initiatives
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) convened its second quarter 2024 Cybersecurity Advisory Committee (CSAC) meeting. In this session, members reviewed and voted on recommendations concerning the optimization of CISA’s Cyber Operational Collaboration Platform, as directed by CISA director Jen Easterly. These recommendations aim to bolster the ongoing development and funding of CISA’s Joint Cyber Defense Collaborative (JCDC), focused on enhancing operational cyber defense collaboration.
CISA’s cyber defense mission is dependent upon effective collaboration between the government and the private sector, which is enabled in significant part through JCDC. The next CSAC meeting will be held, virtually, in September.
“I am excited about the recommendations discussed today and look forward to reviewing them,” Easterly said in a Wednesday media statement. “I know they are thoughtful and innovative ideas that align with CISA’s priorities and mission as the previous recommendations have been.”
In addition to the recommendations put forth by the Optimizing CISA’s Cyber Operational Collaboration Platform subcommittee, the other subcommittee updates including the Strategic Communications subcommittee have resumed work to help CISA advance communications efforts to the American people; while the Building Resilience for Critical Infrastructure subcommittee explored opportunities to promote cybersecurity and resilience efforts across critical infrastructure partners and concerning the People’s Republic of China’s (PRC) goals and targets.
Furthermore, the Technical Advisory Council subcommittee is researching how CISA can encourage migration toward open-source software security; and the Secure by Design subcommittee explored opportunities to ensure secure by design best practices are affordable and accessible for all users.
Established in 2021, the Committee was created to provide recommendations to the CISA Director to advance the cybersecurity mission of the agency as well as to strengthen cybersecurity measures across the nation.
In March, Director Easterly formally responded to the 108 recommendations the Committee approved during the September 2023 quarterly meeting. CISA accepted or partially accepted nearly all the recommendations. The recommendations and responses can be found here. In May, Director Easterly formally responded to the 29 recommendations the Committee approved during the December 2023 quarterly meeting, and CISA accepted nearly all the recommendations.
Last month, following directives from Easterly, the CSAC released its Reports and Recommendations and continued to make progress on six key topics throughout 2023.
The Committee provided recommendations to fully address all aspects of the six taskings by the December 2023 Quarterly Meeting. These include Corporate Cyber Responsibility Purpose focused on what Boards and C-Suite execs must do to embrace cybersecurity as a matter of good governance. They supported CISA’s work to ensure that companies are building safety into all of their technology products so that they are safe for consumers.
The report also concentrated on enhancing Cyber Hygiene by specifically targeting the development of a technology ecosystem that is Secure-by-Design and Secure-by-Default. This included providing support to several vulnerable sectors in need of enhanced cybersecurity measures, such as K-12 education, hospitals, and water facilities.
The CSAC report also mentioned the national cybersecurity alert system purpose focused on understanding the feasibility of an alert system for cyber risk. The goal of this capability was to provide a clear and simple method to convey the current severity of national cybersecurity risk based upon CISA’s all-source analysis of evolving threat activity (e.g., utilizing a color-coded or numerical ‘scoring’ system). Such a system would complement rather than replace CISA’s existing production of alerts and advisories on specific, actionable risks.
The report also extended to building resilience and reducing systemic risks to critical infrastructure, aiming to enhance national risk management and establish criteria for a scalable analytical model to guide risk prioritization. Specifically, it examined the development of Systemically Important Entities and the National Risk Register. It also sought feedback on CISA’s Continuity of the Economy Scoping Plan.
In its report, the CSAC also explored the purpose of the Technical Advisory Council, a subcommittee composed of hackers, vulnerability researchers, and threat intelligence experts. This group, crucial to national security, provided direct feedback from front-line practitioners and helped strengthen CISA’s connections with the research community. They deliberated on strategies for CISA to ensure that by 2030, all critical products—both free and commercial—are memory-safe.
In the area of transforming the cyber workforce, the CSAC report emphasized developing a talent management ecosystem and a ‘People-First’ culture within CISA. It guided CISA on how to operationalize its core values and principles to foster this enduring culture. Additionally, the report assisted CISA in strategizing effective measures for assessing a hybrid and remote workforce, addressing challenges related to burnout, workload, and well-being to cultivate and retain an exceptional workforce.
Last month, CISA announced that 68 software manufacturers have voluntarily committed to its Secure by Design pledge. The initiative aims to enhance product security by incorporating security measures during the design phase. By participating in the pledge, these manufacturers are dedicated to working towards the outlined goals. The Secure by Design pledge represents a significant advancement in CISA’s initiative to promote secure product design.
Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive
Register: June 27, 2024 2pm CETRelated
