CISA Administrative Subpoena
The Cybersecurity and Infrastructure Security Agency (CISA) works around the clock to identify and mitigate cybersecurity vulnerabilities in the digital systems that underpin much of our nation’s critical infrastructure. A key element of these efforts includes notifying critical infrastructure entities of vulnerabilities in their systems. However, at times CISA analysts identify or receive information about vulnerable systems but cannot determine contact information for the owners or operators of the systems.
Under subsection (p) of Section 2209 of the Homeland Security Act, as amended (6 U.S.C. § 659(p)), CISA has the authority to issue administrative subpoenas for the production of information necessary to identify and notify an entity at risk. This authority applies when CISA identifies a system connected to the internet with a specific security vulnerability and has reason to believe the security vulnerability relates to critical infrastructure and affects a covered device or system but is unable to identify the entity at risk.
CISA will issue administrative subpoenas from CISA.ADMIN.SUBPOENA@CISA.DHS.GOV. If you received an administrative subpoena from CISA, you can reach us using the contact information below.
If you would like to validate that an administrative subpoena you received is from an authorized representative of CISA, please visit our Subpoena Signature Resources page.
Please check back soon as we will be adding more information in the coming months.
Contact Information: CISA.ADMIN.SUBPOENA@CISA.DHS.GOV
Admin Subpoena Documents
CY2022 Administrative Subpoena for Vulnerability Notification Year in Review
CY2021 Administrative Subpoena for Vulnerability Notification Year in Review
- Privacy Review of Admin Subpoena Procedures Congressional Report
Responding to Notice of a Subpoena
Critical infrastructure entities may receive a communication from CISA indicating that CISA has obtained their information pursuant to a subpoena, and that a vulnerability is present on their network.
CISA encourages critical infrastructure entities to investigate and resolve the issue but does not require them to do so. CISA offers a variety of services and assistance that may be available upon request.
Retention of Data Obtained by Subpoenas
Information obtained by administrative subpoenas is stored and archived, as needed, by CISA subject to the following deletion requirements:
- If the information in an administrative subpoena response is unrelated to critical infrastructure, CISA destroys non-public information from the administrative subpoena response immediately upon providing notification to the entity.
- Unless otherwise agreed to by the individual whose personally identifiable information (PII) is contained in the administrative subpoena response, CISA will destroy the PII contained in an administrative subpoena response no later than six months after receipt of the response.
The CISA Privacy Office periodically audits records of active and completed administrative subpoenas to verify that these administrative subpoenas are maintained and disposed of in accordance with the handling and disposition requirements from the law and procedure.
Sharing of Data Obtained by Subpoenas
CISA has restrictions on sharing non-public information obtained through administrative subpoenas. CISA only shares non-public information obtained through administrative subpoenas in the following two circumstances:
- CISA may share the information with DOJ for the purpose of enforcing such subpoena.
- CISA may share the information with a federal agency if all of the following conditions apply:
- CISA identifies or is notified of a cybersecurity incident involving the entity whose non-public information was obtained through the subpoena, and that incident relates to the vulnerability which led to the issuance of the subpoena;
- CISA determines that sharing the nonpublic information with another federal department or agency is necessary to allow such department or agency to take a law enforcement or national security action, or actions related to mitigating or otherwise resolving the incident;
- The entity to which the information pertains is notified of CISA’s determination, to the extent practicable consistent with national security or law enforcement interests; and
- The notified entity consents to the sharing (Note: this consent is not required if another federal department or agency identifies the entity to CISA in connection with a suspected cybersecurity incident).