The Cybersecurity and Infrastructure Security Agency is looking to improve it’s vulnerability assessments program. This month marks one year since the United States Department of Homeland Security established the Cybersecurity and Infrastructure Security Agency. CISA was created to improve the government’s cybersecurity protections against hackers and coordinate cybersecurity programs with states.
Since then, the agency has launched a number of programs designed to help organizations better protect themselves from cyber attacks. Now CISA is looking for feedback to improve one of those programs to better serve the public.
CISA’s vulnerability assessment program helps participants detect weaknesses in their digital infrastructure and develop strategies to improve security. The program gives critical infrastructure operators insight on how their cyber defenses compare with others.
“These voluntary, non-regulatory vulnerability assessments are the foundation of the National Infrastructure Protection Plan’s risk-based implementation of protective programs designed to prevent, deter, and mitigate the risk of a terrorist attack while enabling timely, efficient response and restoration in an all-hazards, post-event situation,” CISA writes on it’s website. “Because the majority of all U.S. critical infrastructure is privately owned, the effectiveness of vulnerability assessments depends upon the voluntary collaboration of private sector owners and operators.”
On. November 14, CISA posted a request for comment on the program. The notice posted with the Federal Register also calls for changes to the program. These include adding three customer feedback questionnaires to the assessment process. The three questionnaires are designed to collect feedback on the content and functionality of the system.
As part of the program, Protective Security Advisers and Cyber Security Advisers conduct voluntary assessments on critical infrastructure facilities. These assessments are web-based and are used to collect basic, high-level information about organizations and their dependencies.
“This information allows an organization to see how it compares to other organizations within the same sector as well as allows them to see how adjusting certain aspects would change their score,” CISA wrote in the Federal Register post. “This allows the organization to then determine where best to allocate funding and perform other high-level decision-making processes pertaining to the security and resiliency of the organization.”
The information currently being collected in the assessment program is used to score an organization’s cybersecurity defense. One score measures the strength of the group’s defenses and the other rates its resiliency under attack.
“Once available, the organization and other relevant system users can then review the data and use it for planning, risk identification, mitigation and decision making,” CISA wrote in the post.
According to CISA, 3,181 groups participate in the program every year and the program costs approximately $2.2 million annually.
Changes to the vulnerability assessment program are part of CISA’s ongoing efforts to prepare organizations to defend themselves against cyber attacks.
“The threat landscape is evolving. The vulnerability landscape is evolving. The adversaries’ tactics, techniques and procedures and their tradecraft is evolving. And we also know that the infrastructure landscape is going to continue to evolve,” Richard Driggers, CISA’s deputy assistant director for cybersecurity, said at CyberCon2019 earlier this year. “Those types of infrastructure that we are worried about protecting against today are going to be different in the future,” he added. “Ten, 15 years ago we weren’t worried about securing the cloud. Today we are. So we have to be focused over the horizon to make sure that we can be ready with our technologies, be ready with the types of defensive capabilities that we’ll put into place.”
The public has until December 14 to submit feedback regarding the program and proposed changes.