Make no mistake about it, the Department of Homeland Security’s newest agency, the Cybersecurity and Infrastructure Security Agency (CISA) is serious about cyber. Not even one year old, CISA has taken on the responsibility of protecting the nation’s critical infrastructure from cyber threats. Taking a collaborative approach, the agency states the following as its mission:
CISA partners with industry and government to understand and manage risk to our Nation’s critical infrastructure
On April 3, 2019, in furtherance of agency efforts, CISA’s Chief Counsel, Daniel Sutherland and Steven Kaufman, Principal Deputy General Chief Counsel, spoke about how CISA can help your organization and its clients protect against and respond to cyber incidents. This in-depth look into the agency, presented by McGuireWoods and the Mecklenburg County Bar, highlighted how CISA’s approach will benefit both federal and non-federal organizations.
CISA: A Different Type of Federal Agency
Introductory remarks had no sooner concluded before Chief Counsel Sutherland outlined exactly what CISA is not,
We are a non-regulatory, non-law enforcement, non-intelligence community.
In other words, CISA is not interested in bringing action against the victims of a cyber-attack. Rather, CISA is focused on identifying, preventing, and stopping cyber-attacks against critical infrastructure. Specifically, CISA is, “authorized to share information related to cybersecurity risks and incidents, and provide technical assistance upon request.” Additionally, the National Cybersecurity and Communications Integration Center’s (NCCIC) is authorized to:
- Receive information relating to cybersecurity risks and incidents;
- Analyze and integrate “cross-sector integration and analysis, of cyber threat indicators, defensive measures, cybersecurity risks, and incidents.”; and
- Disseminate “cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities.”
Because CISA is not structured as a regulatory agency with enforcement authority, the organization is free to focus entirely on the mission of understanding, managing, and preventing cyber-attacks.
Reasonable Cybersecurity Practices
As a non-regulatory, non-law enforcement, and non-intelligence agency, CISA fulfills its mission, in part, through effective information sharing. Successful information sharing includes participation from non-federal entities interested in helping CISA, “manage risk to our Nation’s critical infrastructure.” In addition to helping combat cyber-attacks, sharing information with CISA can help your business illustrate compliance with various state regulations that require the implementation of reasonable cybersecurity practices. For example, as the NY DFS Cybersecurity Requirements for Financial Services continues to set a national standard for cybersecurity practices, a part of compliance with NY DFS includes written and reasonable cybersecurity policies. Written, reasonable, and defensible cybersecurity practices include information sharing policies, such as those offered by CISA.
Information shared with CISA is afforded certain protections including:
- Stakeholders that share information with the NCCIC are eligible for certain protections under CISA so long as the stakeholder meets certain requirements;
- Stakeholders that share information with or receive technical assistance from the NCCIC may invoke Protected Critical Infrastructure Information (PCII) protections; and
- Information shared through CISCP/AIS is sanitized to protect stakeholders’ identities.
As America’s electrical grid, water supply, internet, transportation, financial systems, healthcare networks and other infrastructure become increasingly interdependent and connected, collaborative information sharing and partnerships between industry and government is imperative. CISA is the latest tool your business can use to help prevent cyber-attacks and secure critical business operations.