The Future of CISA – Summary

Nov 5, 2025 | Cyber Security, DHS & Cyber, Essay, Policy and Strategy

A Brief Introduction to CISA (James Lewis)

  • CISA evolved from a fragmented agency landscape, consolidating multiple predecessor agencies (NCSD, NPPD) that struggled with unclear missions, interagency rivalries, and inadequate resources before its establishment as an independent agency in 2018.
  • Strong policy foundations (EO 13636, PPD-41, EO 14028) clarified CISA’s role as the lead federal agency for domestic cybersecurity and critical infrastructure protection, with primary responsibility for protecting civilian federal agencies.
  • CISA faces persistent challenges including severe resource constraints (exacerbated by DOGE cuts), tensions with ONCD over overlapping authorities, and ongoing debates about whether it should have regulatory powers beyond its current voluntary, partnership approach.

Why We Need a Team Defense in Cyber (Jeff Greene)

  • CISA is the only U.S. government agency with an unambiguous mission focused on cyber defense, distinguishing it from agencies like FBI (law enforcement), NSA (intelligence), and NIST (standards).
  • CISA’s “defense-first” focus enables it to serve as a trusted, neutral intermediary in critical functions like coordinated vulnerability disclosure, where researchers and vendors need a non-regulatory, non-law enforcement partner to facilitate responsible security improvements.
  • CISA’s brand credibility and defender-centric posture—demonstrated through programs like the KEV Catalog, Shields Up campaign, and cross-agency monitoring capabilities—makes it an essential voice in government policy debates and a vital resource for network defenders nationwide.

CISA and the Civilian Face of Cybersecurity (Bobbie Stempley)

  • Cyber resilience begins locally with state/local governments and industry—not in Washington—making CISA’s role as a civilian, non-regulatory partner essential for connecting federal insight with local action while respecting civil liberties and avoiding the trust issues associated with law enforcement or intelligence agencies.
  • CISA successfully translates national intelligence into actionable local warnings (e.g. 2,100-plus pre-ransomware alerts in 2024) and bridges gaps between large technology companies and resource-constrained municipalities, counties, hospitals and school districts that face the hardest challenges in cyber attacks.
  • Credibility depends on measurable outcomes and transparency, demonstrated through initiatives like phishing-resistant MFA deployment tracking at USDA, detailed incident response timelines, and the Nationwide Cybersecurity Review self-assessment tool that provides communities with benchmarks for improvement.

Beyond Federal Boundaries (David Mussington)

  • Resource constraints at CISA and Sector Risk Management Agencies (SRMAs) have shifted the operational burden of cyber defense to managed service providers (MSPs) and cloud service providers (CSPs), who now serve as frontline responders for critical infrastructure security at the asset and local levels.
  • This decentralized model can create significant risks including fragmented defenses, supply chain vulnerabilities (as seen in Log4j), accountability gaps, and reduced federal situational awareness, since CISA often learns of breaches through news reports rather than direct notification.
  • Effective national resilience requires federal policy to provide frameworks and incentives that empower local defense, set minimum vendor standards, strengthen ISACs/ISAOs as trusted intermediaries, and establish clear protocols for escalating asset-level incidents to sector and federal authorities.

Reauthorizing CISA 2015 (Cristin Flynn Goodwin)

  • The Cybersecurity Information Sharing Act of 2015, which provides legal protections for private sector threat information sharing with government, expired on September 30, 2025 and should be reauthorized to maintain stability in both public-private and private-private sector information exchanges.
  • CISA currently functions primarily as an information disseminator rather than a true sharing partner because it still lacks significant first-party threat data, creating an imbalance where companies must weigh what to share, knowing it could be broadly distributed across federal agencies.
  • CISA’s future potential lies in developing robust threat-hunting capabilities across the Federal Civilian Executive Branch (using tools like CDM and EINSTEIN) to generate its own intelligence, transforming it into an equal partner to FBI and NSA that can truly “share” rather than just “receive and disseminate” threat information.

Lessons Learned from Lessons Learned: The CSRB Can’t Be Voluntary (Rob Knake)

  • The Cyber Safety Review Board’s scathing report on Microsoft’s 2023 Exchange Online intrusion—while exemplary—likely destroyed prospects for future voluntary corporate cooperation, as no rational CEO would willingly participate in a process that could harm shareholder value without legal compulsion.
  • The CSRB needs three fundamental reforms to be effective: unambiguous investigative and subpoena authority (modeled on the NTSB), a full-time professional investigative staff paid at market rates to handle multiple concurrent investigations, and true independence from federal agencies whose actions may be under review.
  • The current part-time, voluntary model cannot scale to meet the challenge—numerous significant incidents (Colonial Pipeline, Kaseya, MoveIT, CrowdStrike outages) have gone uninvestigated, and having federal agency representatives serve as board members creates inherent conflicts when those agencies’ failures should be examined.