The Cybersecurity and Infrastructure Security Agency (CISA) has made only limited progress in improving the overall quality of cyber threat data information it shares with third parties, and needs to do more to provide context for that shared information, the Department of Homeland Security (DHS) Office of Inspector General (IG) said in an oversight report.
The Cybersecurity Act of 2015 requires DHS to establish a capability and process for Federal entities to receive cyber threat information from non-Federal entities. CISA has addressed the basic information sharing requirements of the Cybersecurity Act of 2015 but has made limited progress in improving the overall quality of threat information, the IG said.
CISA’s Automated Indicator Sharing (AIS) service, which provides more than 300 partners with real-time unclassified cyber threat information and defensive measures, has failed to consistently provide adequate cyber threat indicators to participants for threat mitigation, according to the IG.
“Most of the cyber threat indicators did not contain enough contextual information to help decision-makers act. We attribute this to limited AIS functionality, inadequate staffing, and external factors,” the report says.
The DHS IG said that CISA has updated guidance when necessary, properly classified cyber threat indicators, and accurately accounted for security clearance provisions in the private sector. However, the AIS service was at times left without critical contextual information to take appropriate actions.
“Although CISA generally increased the number of AIS participants and number of cyber threat indicators shared and received, the quality of the cyber threat indicators was not adequate for participants to take necessary actions,” the report says.
These deficiencies in the quality of threat information sharing among AIS participants – which includes 52 Federal agencies – may hinder the Federal government’s ability to identify and mitigate potential cyber vulnerabilities and threats, the agency watchdog said.
The IG recommended that CISA complete system upgrades and develop a formal reporting process featuring quality controls. The IG also recommended that CISA hire necessary staff and encourage compliance with information-sharing agreements.
CISA agreed with all the recommendations, and said it was either in the processing of resolving specific issues, or had already done so. The agency also told the IG that it was building up contractual resources to better support information-sharing initiatives, which they anticipate completing by January 31, 2023.