Analysis
Attacks and Vulnerabilities
CISA
News
Regulation, Standards and Compliance

Homeland Security Committee expresses concern to CISA on new systemically important entities program office

April 28, 2023
Homeland Security Committee expresses concern to CISA on new systemically important entities program office

Homeland Security Committee members have written to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) director requesting details on reported plans to establish a new program office to identify ‘systemically important entities’ (SIE) by the end of September. The initiative seeks to identify the most vulnerable critical infrastructure entities across the country. The members have also sought clarity on whether these goals complement, replace, or are duplicative of existing efforts already underway in the agency to identify and mitigate systemic risk.

In a bipartisan letter, written by Andrew Garbarino, a Republican from New York and chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, and ranking member Eric Swalwell, a Democrat from California, to Jen Easterly, CISA director, requesting a briefing to elaborate on the proposed new SIE office, and how it plans to interface with the National Risk Management Center (NRMC), especially as the NRMC welcomes new leadership. 

The members have asked CISA to provide a briefing ‘no later than May 12, 2023,’ wherein the lead security agency shall include, at a minimum, a description of the goals of the new SIE office, including interim milestones, and a detailed description of the planned new SIE program office, including structure, estimated staff levels, and necessary resources.

The members also sought an explanation of how the new program office would integrate with, inform, and complement other ongoing designation schemes at CISA, including, but not limited to the Section 9 list, the National Critical Functions, and the National Critical Infrastructure Prioritization Program.  Additionally, the committee members requested the CISA to provide detail on how the new program office plans to incorporate efforts from other SRMAs and other stakeholders within each sector.

The committee members were following up with CISA after the agency’s Cybersecurity Advisory Committee meeting last month. “We understand you hope to work with each sector risk management agency (SRMA) to identify SIEs in each of the 16 critical infrastructure sectors. Given the vast scope of this initiative, and its similarities to other programs previously initiated, we request additional information on CISA’s proposed SIE designation efforts,” the members wrote. 

Specifically, “we request information on how these efforts complement or replace existing efforts to mitigate systemic risk to Section 9 entities, secure National Critical Functions (NCF), prioritize assets through the National Critical Infrastructure Prioritization Program, and maintain a National Asset Database. We also hope to understand how the National Risk Management Center (NRMC) and the proposed new SIE office will coordinate and deconflict efforts related to SIEs,” the members added in their letter. 

The members also outlined in their letter that stakeholders across sectors seem to agree that identification and prioritization of systemic risk are critical to mitigating cyber threats. “However, the task of identifying our nation’s most critical assets is no small feat, and any effort to do so should be informed by—but not duplicative of—past efforts. CISA must have clear goals, objectives, and metrics to measure success in place at the outset.” 

The members wrote that government bureaucracy should not amount to increased risk for these entities. “We intend to ensure all sectors, including financial services, are not tasked with duplicative designations and requirements with this proposed new program office,” they added.

The Department of Homeland Security (DHS) released this month the latest version of its Quadrennial Homeland Security Review (QHSR) document, which is updated every four years as required by law. The document comes at a time when cyber threats have evolved and increased since the founding of the department.

It also informs existing departmental processes for translating priorities into resources, including the DHS Strategic Plan and the annual budget development process. Also, nation-state threat actors are becoming increasingly sophisticated, targeting federal, state, and local government agencies, critical infrastructure companies, and others.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Related

68 software manufacturers commit to CISA's Secure by Design pledge for enhanced product security
68 software manufacturers commit to CISA’s Secure by Design pledge for enhanced product security
Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
Cyolo, Dragos partner to unveil holistic secure remote access offering for critical infrastructure
Cyolo, Dragos partner to unveil holistic secure remote access offering for critical infrastructure
Dnsmasq
New Siemens Simatic Automation Workstation to offer streamlined factory control
Nozomi, Mandiant extend alliance to boost threat detection and response for global critical infrastructure
Nozomi, Mandiant extend alliance to boost threat detection and response for global critical infrastructure
National Cybersecurity Strategy Implementation Plan (V2)
US administration updates National Cybersecurity Strategy Implementation Plan to meet growing challenges
Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild
Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild
Two new MITRE programs central to strengthening cyber defense work on building global cyber capacity
MITRE Federal AI Sandbox to assist with AI experimentation and prototyping capability for US government agencies
Dragos integrates with CrowdStrike Falcon next-gen SIEM for threat detection in OT networks
Dragos integrates with CrowdStrike Falcon next-gen SIEM for threat detection in OT networks
Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution
Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution