Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly is considering a big basket of recommendations delivered this week by the agency’s Cybersecurity Advisory Committee, including suggestions that the agency boost its workforce development and acquisition efforts and establish a new chief people officer position.
The workforce development recommendations top a list of numerous ideas offered to the agency by the advisory committee that CISA formed last year.
At a June 22 advisory committee meeting in Austin, Texas, the committee’s Transforming the Cyber Workforce Subcommittee offered up the chief people officer recommendation, along with others recommending that CISA:
- “Prioritize its strategic workforce development;
- Dramatically improve its talent acquisition process to be more competitive with the private sector;
- Radically expand recruitment efforts to identify candidates across their professional lifecycle; and
- Leverage talent identification and hiring success through interagency collaboration.”
Easterly said she is looking forward “to closely studying the recommendations.”
“I was thrilled to host CISA’s Cybersecurity Advisory Committee today in Austin to discuss the recommendations from Committee members that will help ensure that CISA is the cyber defense agency that this country truly needs and deserves,” Easterly said. With the advisory committee’s guidance “and the great work of the CISA team, we will help CISA fulfill its mission of ensuring the security and resilience of our critical infrastructure,” she said.
Focus on National Alert System
In addition to receiving a long list of recommendations from the advisory committee, Easterly assigned the committee the additional task of assessing “the feasibility and key characteristics of a national alert system for cyber risk.”
“The goal of this capability would be to provide a clear and simple method to convey the current severity of national cybersecurity risk to America’s critical infrastructure owners and operators taking advantage of the unique insights from CISA’s analysis of evolving threat activity and our global partners,” CISA said.
The agency added that a new alert system would be complementary to CISA’s existing production of alerts and advisories on actionable risks.
Other Recommendations
In addition to the workforce-related recommendations, the advisory committee offered up ideas to CISA on a wide range of issues, including:
From the Turning the Corner on Cyber Hygiene Subcommittee:
- Establishing a “311” national campaign to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses;
- Further building out CISA’s “More Than A Password” multi-factor authentication (MFA) campaign to reach out to nonprofits, educational institutions, and government partners; and
- Taking “all available steps” to ensure companies are working with the Federal government to full adopt MFA by 2025.
From the Technical Advisory Council:
- Developing incentives and access to information to aid security researchers who will submit vulnerabilities affecting critical systems;
- Encouraging an environment that works to enable frustration-free vulnerability research and reporting;
- Investing in a central platform to facilitate the intake of suspect vulnerabilities and communication between security researchers, agencies, and vendors;
- Improving the notification processes after a disclosure has been verified and acted on; and
- Simplifying the reporting process and provide feedback to those reporting vulnerabilities.
From the Protecting Critical Infrastructure from Mis- Dis- and Mal (MDM) Information Subcommittee:
- Addressing MDM risks that undermine critical functions of American society; and
- Investing in external research to assess the impact of MDM threats and the efficacy of CISA’s MDM mitigation efforts.
From the Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee:
- No new recommendations, but the subcommittee discussed “how they are scoping the best frameworks to collaborate with industry to identify systemic risks across National Critical Functions including the need to hold tabletop exercises with critical infrastructure partners.”
From the Strategic Communications Subcommittee:
- Expanding the current MFA campaign to include a corporate partnership program with Fortune 500 companies; and
- Seconding the recommendation to launch a “311” national campaign to provide emergency call lines and clinics for assistance following cyber incidents.
The advisory committee is set to hold its next meeting on September 13.
