James Lewis
The Cybersecurity and Infrastructure Security Agency (CISA) is the lead agency for domestic cybersecurity and critical infrastructure protection. CISA is a major improvement over its predecessors. It has achieved many of the initial goals envisioned in its creation. The challenges CISA faces date to its inception: interagency rivalries, a lingering debate over the need for regulation, and resources for building a tech-centric workforce. CISA has been a success, but more could be done, and these essays lay out the rationale for further developing CISA’s missions.
A Fragmented Landscape Before CISA
Established in 2018, CISA is a relatively new agency and cybersecurity is a relatively new governmental function. DHS itself was created in January 2003 in response to the September 11 attacks, to ensure another 9/11 would never happen again. The initial DHS component responsible for cybersecurity was the National Cyber Security Division (NCSD), established in June 2003. NCSD was created by merging existing cybersecurity organizations from other federal agencies. These included:
- Critical Infrastructure Assurance Office (CIAO, ambiguously attached to the Department of Commerce))
- National Infrastructure Protection Center (NIPC, formerly part of the FBI)
- Federal Computer Incident Response Center (FedCIRC, part of the National Institute of Standards and Technology, within the Department of Commerce)
- National Communications System (NCS), established in 1963 and managed by the Department of Defense)
NCSD was not a happy marriage of these previously competitive agencies, nor was cybersecurity a priority for DHS’s initial leadership. In 2007, NCSD was folded into a new National Protection and Programs Directorate (NPPD), to create a more cohesive entity that could address both cyber and physical threats to the nation’s infrastructure. This integration reflected the belief that physical and cyber threats were intertwined and best managed by a single directorate. This belief reflected an intermediate stage of threat evolution. The initial concerns, post-9/11 were physical threats. This was followed by growing awareness of the convergence of physical and cyber threats, which then evolved into a focus on cybersecurity and its role in physical security. But since 2007 there have been only a handful of minor physical attacks (more like vandalism) against facilities like electrical substations that serve a single community. It would take dozens of these attacks launched simultaneously to achieve the disruptive effect of a single large cyber attack.
NPPD merged disparate programs within DHS, including NCSD’s cyber work, physical infrastructure protection, federal facility security (the Federal Protective Service, which guards embassies and federal buildings), and emergency communications. NPPD struggled with a lack of clear mission, interagency competition, inadequate resources, and a fragmented strategy. Its structure (as an appendage of the Secretary’s Office) meant that it lacked the bureaucratic stature to compete in addressing increasingly sophisticated cyber threats, within government and also with industry. One NSA Director even proposed giving NSA the lead role in cyber infrastructure protection.
The dilemma with moving responsibility for cybersecurity away from DHS was that it would assign a domestic security role to DOD and to an IC-related part of DOD at that. This dilemma mirrored debates at the time on whether the US needed its own “MI5” for domestic security. The conclusion of that discussion was that the US did not need an MI5, as it already had the FBI. But FBI was also hindered in its cybersecurity role (which it had pioneered with the Clinton-era NIPC) because companies were reluctant to share information with a law enforcement agency. Nor was a small but noisy privacy community happy with an expanded role for either FBI or NSA, and this community had some influence with Congress.
CISA’s creation as a civilian, non-regulatory agency outside of law enforcement and intelligence addressed these concerns. Congress created CISA with the Cybersecurity and Infrastructure Security Agency Act of 2018. The bipartisan Act made CISA an independent agency within DHS. It gave CISA a clear mandate and increased its authorities, including designation as the lead federal agency for cyber and physical infrastructure security. CISA would coordinate cybersecurity and critical infrastructure activities with federal, state, local, tribal, and international counterparts. Its primary responsibility would be to protect “dot.gov,” civilian agencies within the federal government. The aim was to create a more effective Federal entity to lead national efforts to reduce risks to critical infrastructure.
EO 13636 and PPD-41
The new Agency began with a strong foundation in policy. The Obama Administration created a new basis for US cybersecurity policy and organization. Its February 2013 Executive Order 13636 adopted a voluntary, sector-specific approach that made individual regulatory agencies responsible for their sector rather than making DHS the cybersecurity “uberregulator.” Sector-specific agencies would use their existing authorities to ensure that cybersecurity was a priority for the sectors they oversee and the Executive Order encouraged independent agencies to take a similar approach. A cornerstone for the EO is NIST’s Voluntary Cybersecurity Framework, which identified actions that agencies – and industry – could take to better understand, manage, and reduce cybersecurity risks to critical infrastructure and review use to their own regulations to assess if they were adequate. NIST remains a vital partner for CISA.
The Administration also issued Presidential Policy Directive 41 (PPD-41) – “United States Cyber Incident Coordination“ in 2016. PPD 41 created a structured approach for the federal government response to significant cyber incidents, clarifying roles and responsibilities for agencies, including DHS. PPD-41 established a coordinated Federal response to significant cyber incidents, led by the National Security Council (NSC) and clarifying which agencies were responsible for different aspects of a cyber incident. It designated FBI, CISA, and DOD as lead agencies for different aspects of a cyber incident. FBI leads in cybercrime, and if determined to be an attack by a state, DOD leads. PPD-41 created the Cyber Response Group and the Cyber Unified Coordination Group to provide the mechanism for Federal coordination. CISA benefitted from this clarity and its establishment as a standalone agency in 2018 gave it more authority and resources to carry out its PPD-41 responsibilities.
CISA’s responsibilities expanded as a result of major cyber incidents and new policy directives. The SolarWinds attack in late 2020 highlighted systemic vulnerabilities in the software supply chain. Colonial Pipeline showed the risk of ransomware in disrupting critical services. These incidents led to Executive Order 14028 in May 2021, “Improving the Nation’s Cybersecurity.” The EO tasked CISA with developing baseline security standards for software sold to the government, establishing a Cyber Safety Review Board (partially modelled on the NTSB), and (working with OMB) improving threat information sharing.
The Arrival of ONCD
Concerned by the first Trump administration’s apparent downgrading of cybersecurity, Congress created a new layer of management at the White House, the Office of the National Cyber Director (ONCD). ONCD was headed by a Senate-confirmed individual who, in theory, reported directly to the President. This reporting structure created tensions with CISA – driven by a lack of clarity of roles and responsibilities – and with the NSC which already had the senior cyber role in the White House. The original thinking was to have either the senior White House role or the ONCD – not both.
ONCD’s disputes with CISA were not as intense as the intra-White House arguments. They involved defining the division of responsibilities. The current Administration seems to have settled on ONCD as the lead cyber policy maker, with a smaller NSC cyber office fulfilling its traditional foreign policy and defense role, CISA leading domestic cybersecurity, and FBI, DOD, and State responsible for their law enforcement, defense, and diplomatic functions.
Resources
CISA faces persistent challenges with resources and staffing. This has only gotten worse. A 2023 report from the DHS Office of Inspector General noted that CISA lacked backup communication systems, staff, and secure spaces, to effectively manage major cyber incidents. The rapid evolution of cyber threats often outstripped the agency’s ability to hire and train personnel. CISA was made the sector risk management agency for eight sectors. CISA’s election security and disinformation efforts attracted the ire of conservatives and the inaptly-named “Department of Government Efficiency” (DOGE)” made draconian cuts to CISA staff and contractors. New funding is unlikely in the near term and one question for CISA is what missions should be a priority, given limited resources. One potential solution is to focus its mission on securing government networks and improving its work with industry to protect critical infrastructure.
Information Sharing and Collaboration
A core element of CISA’s work involves leading and facilitating information sharing between the government and the private sector. Congress intended CISA to be the private sector’s primary partner and CISA’s sweet spot has been its collaboration with the private sector. CISA became the central hub for sharing threat intelligence, vulnerability advisories, and best practices. As with its predecessors, there were complaints that information sharing was a one-way street, with companies not getting much in return for what they shared, but over time, CISA’s offerings improved and later initiatives like the Known Exploited Vulnerabilities (KEV) Catalog became crucial tools by providing a prioritized list of vulnerabilities that organizations should address immediately due to active exploitation. In 2022, CISA produced 416 vulnerability advisories and coordinated on over 700 cases. In Fiscal Year 2024, CISA released nearly 1,300 cyber defense alerts and advisories, a significant increase that includes a near-doubling of pre-ransomware alerts alone. Its joint threat advisories have also been effective in signaling to industry the importance of the information.
The creation of the Joint Cyber Defense Collaborative (JCDC) in 2021 provided a new mechanism for CISA’s collaboration with the private-sector and CISA introduced several new initiatives to proactively reduce cyber risk. JCDC received mixed reviews, but it was praised for its ability to quickly bring together government and private sector partners to respond to cyber incidents. Examples include coordinating responses to the Log4j vulnerability. JCDC was criticized for being too selective in which companies could participate and for engaging too many partners without a structure. Critics argued that the JCDC needed to be more operationally focused with a clearer, proactive strategy for helping industry protect critical infrastructure. JCDC was reliant on contractors and DOGE cuts and contract lapses could impede JCDC’s ability to function. Despite its value, JCDC was stood down by the Trump Administration.
CISA’s role in protecting and defending the networks of FCEB (Federal Civilian Executive Branch) agencies involves both coordination and monitoring. For coordination, CISA acts as the government’s central risk advisor using Binding Operational Directives (BODs) and Emergency Directives (EDs) that compel FCEB agencies to fix specific, high-priority vulnerabilities. CISA is the hub for cyber threat information sharing across the government. CISA maintains situational awareness across the federal enterprise through programs like the Continuous Diagnostics and Mitigation (CDM) Program, which provides tools to agencies for real-time network visibility and risk management and the National Cybersecurity Protection System (NCPS) to detect and prevent intrusions. Some of these are replacements for the older EINSTEIN intrusion detection system, others (like CDM) are new.
Regulate Or not?
CISA and its predecessors have always disavowed any regulatory role, in part due to the recognition that Congress is unlikely to provide new authorities. CISA largely operates on a voluntary basis, providing services and guidance that organizations can choose to adopt. While this builds trust and partnership, it also limits the agency’s ability to mandate changes in cybersecurity practices, particularly in the private sector. While CISA has been granted new authorities, such as the ability to issue administrative subpoenas, a fundamental tension remains between CISA’s role as a partner and its potential need for a more regulatory or enforcement-oriented function.
CISA’s Role in Risk Management
CISA attempted to expand its role beyond federal cybersecurity to become the nation’s “risk advisor.” CISA took a lead role in securing the 2020 and 2024 elections, providing voluntary support and services to state and local election officials, and combating election-related misinformation. More controversially, it attempted to help counter misinformation and disinformation. While DHS’s short-lived and ill-conceived Disinformation Governance Board (DGB) was not part of CISA, blowback from its rapid collapse damaged CISA. CISA’s work was subject to political scrutiny for its role in election security and its efforts with social media companies on disinformation. CISA’s first Director was fired in 2020 for publicly stating that the Presidential election was secure. While the Supreme Court has rejected claims of CISA coercing social media platforms, the legal challenges highlight the sensitive nature of an approach not specifically authorized in legislation.
CISA and the Future
As new Administrations grapple with cybersecurity, CISA will continue to evolve. The still-growing reliance on cyber infrastructure (and the effect of AI and quantum computing on this) and a worsening international environment will put even more demands on CISA. This collection of essays is a first step to draw on experience and address salient issues for the future of CISA. They include:
Why We Need a Team Defense in Cyber (Jeff Greene): Today’s complex cybersecurity landscape requires a team defense for national security, economic stability, and democratic resilience. While numerous U.S. government agencies, such as the FBI, NIST, NSA and Cyber Command play crucial roles, only CISA has the primary, unambiguous mission of cyber defense. CISA’s singular focus allows it to act as a central hub for public-private collaboration, coordinate vulnerability disclosures between researchers and vendors, secure federal civilian networks, and serve as an important voice for defenders in government policy discussions. This “defense-first” approach builds trust with external partners and ensures that resilience is prioritized, filling a critical gap that other agencies with broader, more varied missions cannot.
Beyond Federal Boundaries: The Evolving Role of CISA, SRMAs, MSPs, and CSPs in Critical Infrastructure Cyber Risk Management (David Mussington):Securing U.S. critical infrastructure requires a layered, cooperative approach that extends beyond federal policy. While CISA and Sector Risk Management Agencies (SRMAs) set high-level approaches, they face resource limitations that prevent them from providing hands-on, day-to-day cyber defense. This has shifted the operational burden to managed service providers (MSPs) and cloud service providers (CSPs), who are now frontline responders for individual assets and local jurisdictions. As MSPs and CSPs manage systems and patch vulnerabilities, they play a crucial role in preventing cyberattacks. However, this model introduces risks, including fragmented defenses, supply chain vulnerabilities, and reduced situational awareness for federal agencies. To address these challenges, federal policy must provide frameworks and incentives that empower local defense, set minimum expectations for vendors, and improve information sharing among all stakeholders, including non-governmental organizations (NGOs) like Information Sharing and Analysis Centers (ISACs).
Lessons Learned from Lessons Learned: The Cyber Safety Review Board Can’t Be Voluntary (Rob Knake) While the Cyber Safety Review Board (CSRB) has produced valuable reports, its voluntary, part-time model is not effective in investigating significant cyber incidents. The CSRB’s productive, yet scathingly critical, review of a Microsoft intrusion highlights that relying on a company’s good faith is not a reliable long-term strategy, as it may deter future cooperation. To be truly effective and meet its mission, the CSRB needs three major changes: it must be given unambiguous investigative and subpoena authority, similar to the National Transportation Safety Board (NTSB); it needs a full-time, professional staff of investigators to scale its operations; and it must be structured as an independent body to avoid conflicts of interest, particularly by not including members from the very government agencies whose actions may be under review.
Reauthorizing CISA and Cyber Threat Intelligence Sharing (Cristin Flynn)Passed in response to a wave of major data breaches, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) created a framework that provides legal protections for private companies to share cyber threat information with the government. While this act is important for its original purpose, its real value lies in what it can enable in the future. As the Cybersecurity and Infrastructure Security Agency (CISA) matures and develops its own robust threat-hunting capabilities across the federal government, it will shift from a role of simply disseminating information to one of true information sharing. By producing its own “first-party” data on threats and vulnerabilities, CISA can become an equal partner with the private sector and other intelligence agencies, fostering a more effective and reciprocal ecosystem for cybersecurity defense. Reauthorizing CISA 2015 is crucial to unlocking this potential, as it provides the legal foundation and trust necessary for this new era of collaborative defense.