The Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly today previewed the agency’s new strategic plan, as well as a request for information (RFI) on cybersecurity incident reporting that will both be released “in a couple days.”
CISA’s New Strategic Plan
Speaking at the Billington Cybersecurity Summit on September 7, Easterly said CISA’s strategic plan will have four pillars: cyber defense; risk reduction and resilience; operational collaboration; and agency unification.
“The plan that we’ve put together really reflects, not just the last four years since my predecessor and great friend Chris Krebs stood up the agency, but everything we’ve learned over the past year,” Easterly said. “It really capitalizes on what I think about as our superpower, which is collaboration and exercise through the most expansive information-sharing authorities that the U.S. government has.”
The first pillar is grounded in CISA’s role as America’s cyber defense agency, Easterly said, as is the second. She explained the risk reduction pillar is also “incredibly important when we’re holding ourselves accountable to what we are going to do to reduce risk and to work with our partners using mechanisms like the cybersecurity performance goals.”
The third pillar will also work to strengthen those partnerships and information-sharing authorities, she added.
“We’re now a full-grown operational component and we absolutely need to build a unified agency that is grounded in the culture that we are building, the core principles, and our core values of collaboration, innovation, service to the nation, and accountability to the American people,” Easterly said of the final pillar. “So, we’re very excited about the strategic plan.”
RFI Coming Soon
As for the RFI, Easterly said the agency will issue the RFI “very excitingly, in the next couple days” to all stakeholders to help inform CISA on its cybersecurity incident reporting rulemaking process.
Congress passed the Cyber Incident Reporting for Critical Infrastructure Act earlier this year as part of the full-year fiscal year 2022 spending legislation. The legislation obligates critical infrastructure owners and operators to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
However, implementation of the new reporting rules awaits CISA’s rulemaking on how to put the law into action, and in the process decide – among other things – what kinds of entities will be covered by the law.
The new reporting rules, and the coming RFI, “will finally allow us to have a much better understanding of what’s going on across the ecosystem,” Easterly said.
She also said CISA will hold 11 listening sessions across the country to gain additional feedback.
“My goal as the director sort of leading this process is to ensure maximum transparency, make sure it’s a consultative process, and ensure harmonization, and that will happen through the Cyber Incident Reporting Council,” Easterly said. “It’s hugely important… to make sure that we are not overly burdening the private sector.”