During its quarterly meeting on Friday, the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Advisory Committee (CSAC) approved recommendations in four reports delivered to Director Jen Easterly aimed at bolstering resilience for critical infrastructure and open source security, as well as ensuring adoption of the agency’s secure by design initiative and increasing the agency’s public outreach.
The reports were drafted by subcommittees of CSAC and included more than a dozen recommendations for CISA.
The report written by the building resilience subcommittee found that government agencies and critical infrastructure entities are not prepared for a cyber conflict with China.
The report on building resilience included four recommendations for CISA, like tasking the Joint Cyber Defense Collaborative to work with Sector Risk Management Agencies to ensure resilience and contingency planning for future cyber conflicts with China.
The report also calls on CISA to increase the engagement of the vendor community and smaller Systemically Important Entities in cyber defense efforts and measure the impact of advisories on threat actors by collecting targeted data.
The secure by design subcommittee said that CISA has “successfully raised the cybersecurity bar” with its secure by design principles, but that the agency now needs to do the work to encourage their widespread adoption.
Among this report’s three recommendations, the subcommittee called on CISA to undertake a “multi-year” effort to secure critical infrastructure by designing a framework based on CISA’s secure by design principles that is “easily consumable and executable by both technical and non-technical people.”
The strategic communications subcommittee’s report focused on CISA’s ability to raise awareness of what the agency is and does, and provide actionable guidance to its key stakeholder groups.
“CISA is not a traditional regulatory agency. It cannot require stakeholders to do things the way regulatory agencies can. Therefore, CISA must rely on its ability to convince its stakeholders to take recommended actions, and it can only do this if its messages are heard and trusted,” the report says. “CISA needs more capacity to reach stakeholders and must employ different strategies to reach different stakeholder groups. The subcommittee also noted that trust and confidence in CISA’s brand will be critical to the agency’s ability to recruit top talent.”
The final report focuses on CISA’s ability to encourage the adoption of safe consumption norms for open source software, while also encouraging companies to contribute fixes and enhancements back to the open source projects.
One recommendation includes publishing guidance on Open Source Consumption, including understanding the options around what to consider when selecting open source security components to use in projects, as well as justification to management for upstreaming important changes that will benefit the source OSS project.
