CISA Through the Years: Policy and Impact
Over the course of the last four years, CISA has played a critical and evolving role in the nation’s policy and strategy on cybersecurity, infrastructure security, and resilience. As a relatively new agency, these national policy activities have shaped and molded who we are as an agency, our role in the interagency, and our biggest priorities. As we begin to look forward to 2025 and beyond, we wanted to highlight some of the most influential policy efforts in recent years.
2021
In the wake of the SolarWinds supply chain attack, Executive Order (EO) 14028, "Improving the Nation's Cybersecurity" was issued in May, tasking CISA with a variety of actions to strengthen the security of federal government networks, including removing barriers to threat information sharing, modernizing and implementing stronger cybersecurity standards for the federal government, and improving software supply chain security. Later in the year, the administration issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, which directed CISA to develop a series of Cybersecurity Performance Goals (CPGs) to meaningfully reduce risks to both critical infrastructure operations and the American people. These CPGs are a subset of cybersecurity practices, selected through a thorough process of industry, government, and expert consultation, aimed to help small- and medium-sized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes.
2022
In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law, requiring covered critical infrastructure entities to report covered cyber incidents and ransom payments to CISA within 24 hours after a payment is made. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims – better arming CISA to achieve its mission as the nation’s cyber defense agency.
CIRCIA also established two additional efforts: the Joint Ransomware Task Force (JRTF) and the Ransomware Vulnerability Warning Pilot (RVWP) program. The JRTF serves as the central body for coordinating an ongoing nationwide campaign against ransomware attacks in addition to identifying and pursuing opportunities for international cooperation. co-chaired by CISA and the Federal Bureau of Investigation (FBI), the JRTF coordinates existing interagency ransomware efforts and works to identify new initiatives to effectively leverage the unique authorities and capabilities across the U.S. government and the private sector to address ransomware threats.
Through the RVWP, CISA has identified vulnerabilities commonly associated with known ransomware exploitation and warned critical infrastructure entities whose networks or devices may be susceptible to those vulnerabilities, enabling mitigation before a ransomware incident occurs. The RVWP completed 1,754 notifications in 2023 to entities operating an internet-accessible vulnerable device. Following notification of the vulnerabilities, CISA regularly conducted vulnerability scans to determine whether the entities appear to have mitigated their vulnerable devices. Our findings indicated that 852 of the 1,754 notifications (49%) of vulnerable devices were either patched, implemented a compensating control, or taken offline after notification from CISA.
2023
The 2023 National Cybersecurity Strategy (NCS) laid out the national approach to increasing the ecosystem’s cybersecurity. It detailed a comprehensive list of actions for CISA to take alongside our federal partners and allies, including updating the National Cyber Incident Response Plan, countering ransomware efforts through the JRTF, and enhancing operational collaboration efforts with industry partners. These actions were outlined in more detail in the National Cyber Strategy Implementation Plan, which provided a roadmap for the implementation of the NCS.
In late October of 2023, Executive Order (EO) 14110, “Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence (AI),” highlighted CISA’s role in helping critical infrastructure stakeholders and the rest of the federal government leverage AI benefits while mitigating potential risks posed by this technology. Our work under the EO includes protecting critical infrastructure, assuring the security of AI systems, and leverage the power of AI to enhance cyber defense.
2024
Most recently, on April 30, 2024, the National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) further codified CISA’s statutory role as the National Coordinator for the Security and Resilience of U.S. Critical Infrastructure, empowering us to implement a new risk management cycle that prioritizes collaborating with partners to identify and mitigate sector, cross-sector, and nationally significant risk. This cycle, which will be refreshed biennially, enables systematic risk reduction efforts that the U.S. government will take in collaboration with relevant partners. The culmination of this cycle is the creation of the 2025 National Infrastructure Risk Management Plan, which will guide federal efforts to secure and protect critical infrastructure over the coming years. These efforts will be critical to help USG to better understand sector and cross sector risk and more efficiently prioritize risk reduction efforts going forward.
CISA’s role has evolved and will continue to evolve to reflect the threat landscape and policy ecosystem that the United States operates in. We look forward to continued partnership with our federal, SLTT, and private sector partners to better secure our world.