Analysis
Regulation, Standards and Compliance

CISA Calling for Feedback on Vulnerability Assessments

November 15, 2019
CISA

The Cybersecurity and Infrastructure Security Agency is looking to improve it’s vulnerability assessments program.  This month marks one year since the United States Department of Homeland Security established the Cybersecurity and Infrastructure Security Agency. CISA was created to  improve the government’s cybersecurity protections against hackers and coordinate cybersecurity programs with states.

Since then, the agency has launched a number of programs designed to help organizations better protect themselves from cyber attacks. Now CISA is looking for feedback to improve one of those programs to better serve the public.

CISA’s vulnerability assessment program helps participants detect weaknesses in their digital infrastructure and develop strategies to improve security. The program gives critical infrastructure operators insight on how their cyber defenses compare with others.

“These voluntary, non-regulatory vulnerability assessments are the foundation of the National Infrastructure Protection Plan’s risk-based implementation of protective programs designed to prevent, deter, and mitigate the risk of a terrorist attack while enabling timely, efficient response and restoration in an all-hazards, post-event situation,” CISA writes on it’s website. “Because the majority of all U.S. critical infrastructure is privately owned, the effectiveness of vulnerability assessments depends upon the voluntary collaboration of private sector owners and operators.”

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

On. November 14, CISA posted a request for comment on the program. The notice posted with the Federal Register also calls for changes to the program. These include adding three customer feedback questionnaires to the assessment process. The three questionnaires are designed to collect feedback on the content and functionality of the system.

As part of the program, Protective Security Advisers and Cyber Security Advisers conduct voluntary assessments on critical infrastructure facilities. These assessments are web-based and are used to collect basic, high-level information about organizations and their dependencies.

“This information allows an organization to see how it compares to other organizations within the same sector as well as allows them to see how adjusting certain aspects would change their score,” CISA wrote in the Federal Register post. “This allows the organization to then determine where best to allocate funding and perform other high-level decision-making processes pertaining to the security and resiliency of the organization.”

The information currently being collected in the assessment program is used to score an organization’s cybersecurity defense. One score measures the strength of the group’s defenses and the other rates its resiliency under attack.

“Once available, the organization and other relevant system users can then review the data and use it for planning, risk identification, mitigation and decision making,” CISA wrote in the post.

According to CISA, 3,181 groups participate in the program every year and the program costs approximately $2.2 million annually.

Changes to the vulnerability assessment program are part of CISA’s ongoing efforts to prepare organizations to defend themselves against cyber attacks.

“The threat landscape is evolving. The vulnerability landscape is evolving. The adversaries’ tactics, techniques and procedures and their tradecraft is evolving. And we also know that the infrastructure landscape is going to continue to evolve,” Richard Driggers, CISA’s deputy assistant director for cybersecurity, said at CyberCon2019 earlier this year. “Those types of infrastructure that we are worried about protecting against today are going to be different in the future,” he added. “Ten, 15 years ago we weren’t worried about securing the cloud. Today we are. So we have to be focused over the horizon to make sure that we can be ready with our technologies, be ready with the types of defensive capabilities that we’ll put into place.”

The public has until December 14 to submit feedback regarding the program and proposed changes.

Rebecca Addison
Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
Senator Wyden introduces legislation to boost government collaboration technology security, interoperability
Senator Wyden introduces legislation to boost government collaboration technology security, interoperability
NSA information sheet focuses on enhancing data security and zero trust implementation
NSA information sheet focuses on enhancing data security and zero trust implementation
CISA joins MVSP Working Group, set to enhance secure by design principles 
CISA joins MVSP Working Group, set to enhance secure by design principles 
Proposed CIRCIA rule boosts cyber threat understanding, early detection of adversary campaigns, offers coordinated actions
Proposed CIRCIA rule boosts cyber threat understanding, early detection of adversary campaigns, offers coordinated actions
New JRC-ENISA report enhances cybersecurity standards alignment through CRA requirements mapping
New JRC-ENISA report enhances cybersecurity standards alignment through CRA requirements mapping
NSA addresses challenges of hybrid cloud, multi-cloud environments in new cybersecurity information sheet
NSA addresses challenges of hybrid cloud, multi-cloud environments in new cybersecurity information sheet
White House issues policy on AI risk mitigation and benefits in line with President Biden's Executive Order
White House issues policy on AI risk mitigation and benefits in line with President Biden’s Executive Order