Why CISA Won’t Release ‘Public’ Comments on Upcoming Performance Goals
CISA officials often stress their non-regulatory role, but Congress keeps trying to give the agency regulatory responsibilities.
The Cybersecurity and Infrastructure Security Agency’s promise to conceal stakeholders’ feedback on what should function as baseline security measures for critical infrastructure companies is in tension with its commitment to transparency.
“It would be consistent with CISA's commitment to transparency to make the comments public,” Suzanne Spaulding, a former chief of the Department of Homeland Security agency that would become CISA, told Nextgov. “It could be tricky, however, if they didn't make clear at the outset that the comments would be public."
Spaulding, now a senior homeland security adviser and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies, was referring to comments CISA sought from stakeholders in shaping goals for the companies to meet in order to defend their industrial control systems and maintain essential services during a cyberattack.
CISA didn’t neglect to disclose at the outset that comments collected on the performance goals would be public, it deliberately precluded the comments’ release. The agency’s webpage on the initiative notes that engagement with relevant agencies and private-sector stakeholders is happening through the Critical Partnership Advisory Council. Following the attacks of Sept. 11, 2001, Congress authorized CIPACs at the Department of Homeland Security—where CISA is housed—to facilitate frank and open input from companies about what is needed to protect the homeland from attacks by exempting such meetings from transparency rules that govern other federal advisory committees.
The goals won’t necessarily be mandatory for industry
Unlike the process under which CISA is soliciting comments from the public for implementation of the Cyber Incident Reporting for Critical Infrastructure Act, CISA’s consideration of stakeholder comments on the cybersecurity performance goals is not for a direct application of regulatory authority.
“Our request for written input was an information solicitation and was not governed by formal administrative procedures like a [Request for Information],” according to a CISA spokesperson. “Given that, it would be unusual to release the written comments, given both the voluntary nature of the [Cybersecurity Performance Goals] and our intent to continue requesting feedback even after the CPGs are released this month.”
But while the July 2021 national security memo instructing CISA to establish the performance goals does not itself mandate private-sector adherence to them, agency leaders and lawmakers are considering how the goals might be used as the basis for mandates down the line, most immediately for federal contractors.
The national security memo allows CISA, working with relevant agencies governing specific sectors in setting the goals, to “include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our nation.” And it says the performance goals “should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services.”
During a Sept. 15 hearing of the House Homeland Security Committee, CISA Executive Assistant Director Eric Goldstein said the agency is also aligning the performance goals with software security requirements for federal agencies from the Office of Management and Budget. Those requirements were issued under Executive Order 14028, the administration’s primary response last May to SolarWinds, Colonial Pipeline and the other major hacks of 2021.
Lawmakers highlight need for “untapped” feedback, transparency
Members of Congress—along with senior members of the administration seeking to embolden agencies’ use of their regulatory authorities—have pushed for CISA to produce similar “performance goals” in legislation that has been included in the House-passed National Defense Authorization Act. That legislation also calls for an interagency council led by CISA Director Jen Easterly and Office of the National Cyber Director Chris Inglis to assign federal agencies for the management of various critical-infrastructure sectors.
“I believe we need to revamp our playbook for securing [operational technology], and the common baseline performance goals that CISA is developing might create a foundation to do just that, but only if it gets it right,” Rep. Evette Clarke, D-N.Y., chair of the Homeland Security Committee’s panel on cybersecurity, said during the Sept.15 hearing.
“What mechanisms does CISA have in place to engage with stakeholders and solicit feedback, and is CISA proactively seeking new, untapped stakeholder groups who may have novel insight to share?” she asked Goldstein during the recent hearing.
Goldstein touted the agency’s efforts in response: “We have gone through two rounds of robust stakeholder feedback, both of which included public review. We received, remarkably, over 2,000 comments on the cybersecurity performance goals and held a variety of workshops, including both for sectoral partners and the general public, as well as listening sessions across our stakeholder groups.”
Those rounds of outreach also intentionally sought unique perspectives outside the usual stakeholders CISA regularly talks to, Goldstein added.
“We reached out uniquely to our international partners, to academia to researchers to owner operators, device manufacturers, integrators, entities across the spectrum,” he said.
Other lawmakers considering an update to the government’s role in defending the country from cyberattacks also highlighted a lack of insight into the result of the voluntary approach pursued in Biden’s ICS initiative, which involved intensely focusing on a particular sector for multiple months.
“I’ve read the press releases about the 100-day cybersecurity sprints but it seems like there's no real transparency around them,” Rep. Ritchie Torres, D-N.Y., told Goldstein during the hearing. “There has been no reporting regarding the results of these sprints. Do you intend to report the failures and successes of these sprint's or the lessons learned from them?”
Goldstein deferred to the White House for reporting on the initiative. On Tuesday, the White House pointed to its call for the performance goals in declaring its cybersecurity efforts a success.
CISA does have experience regulating cybersecurity
In discussions on the agency’s role, CISA leaders—including Director Jen Easterly—have stressed their non-regulatory approach to managing cybersecurity, but the agency can and does exercise significant regulatory powers.
Lawmakers have discussed the potential need to appoint an agency for managing cybersecurity risk presented by providers of “commercial” information communications technology, including powerful cloud service providers and sellers of other software products and services. Such “commercial off-the-shelf,” or COTS, items were exempt from cybersecurity management under the 2013 presidential policy directive that President Joe Biden based his national security memo on. And CISA’s performance goals could have a more immediate effect on the federal government’s cybersecurity through inclusion in agencies’ procurement requirements, based on their implementation of the executive order on secure software development.
In contrast to the hazy world of cloud service providers and other software products and services that might be considered critical for maintaining essential services, CISA has clear regulatory authority over the chemical sector. And Spaulding and others, including the Government Accountability Office, have pointed to the system CISA uses there as a potential model to follow in areas where the responsibility for managing cybersecurity risk is unclear, or inactive.
Easterly herself noted how impressed she was by the standards used in the chemical sector for their early consideration of how to mitigate risks specifically presented by industrial control systems, which a hacker could manipulate with potentially catastrophic physical consequences. That danger grew over the course of the pandemic, as workers increasingly relied on remote access for managing such systems, and information technology and operational technology became further intertwined.
How stakeholder feedback has already changed the performance goals
Last September, on deadline, CISA published its first draft of cross-sector performance goals for protecting the industrial control systems running critical infrastructure. The goals referenced the Chemical Facilities Anti-Terrorism Standards, or CFATS, in addition to previous guidance from CISA and the National Institute of Standards and Technology. The draft listed “sample evidence of implementation” for “baseline objectives” in goals for nine areas, including “risk management and cybersecurity governance,” and “architecture and design.”
Whether an “organization employs firewalls, access control lists and one-way communication diodes,” could serve as evidence it tried to establish and protect a boundary around the control systems, for example, according to the initial draft of the goals.
After an early round of comments, at the start of the year, CISA removed the first draft of the cybersecurity performance goals from its website and released version 2.0 of the draft goals. The new document does not reference the CFATs. It relies heavily on the NIST Cybersecurity Framework of 2014, and includes guidelines for organizations to establish their own metrics for determining the extent to which a list of baseline “controls” are implemented.
The new performance goals say, in measuring segmentation of IT and OT networks, “Communications into the OT network must go through a tightly controlled and logged intermediary, such as a bastion host or a ‘jump box,’” for example.
CISA, working with NIST, was not required to solicit, or publish, stakeholder comments for establishing the performance goals. But in April, comments NIST collected for updating its 2014 framework showed USTelecom pushing for the framework to remain mappable to the performance goals CISA is ultimately responsible for producing.
In August, after CISA issued calls for feedback from the broader public on the second version of the performance goals, other trade associations for providers of commercial information and communications technology joined USTelecom in expressing their continued dissatisfaction with the cross-sector performance goals, despite the significant changes. The industry groups shared their later comments to CISA with the Washington Post.
“At a minimum, CISA should remove language like ‘must,’” read comments submitted by USTelecom, wireless communications association CTIA and NCTA–The Internet and Television Association. “Segmentation can be costly and can impede access to business or mission-critical applications. An overly rigid expectation for default segmentation would deprive organizations of the capability to manage their systems and networks.”
The information and communications technology industry is already very well represented within CISA, forming the base of the agency’s Joint Cyber Defense Collaborative and the Information and Communications Technology Supply Chain Risk Management task force.
A matter of trust
Asked to comment for this story, spokespeople for CISA said the agency’s outreach specifically for comments from the broader public consisted of two tweets and the “information solicitation” referenced above. CISA did not respond to a request following up on where the information was solicited beyond the tweets and the agency’s webpage. There was no press release requesting comments from the public.
And during the introductory remarks of a virtual workshop the agency held specifically to receive input from the public—as opposed to the critical infrastructure operators the agency is engaging with under CIPAC authorities—Goldstein also promised ahead of time that feedback shared on the goals would not be made public.
Regulatory agencies—some of which are risk management agencies CISA must work with to finalize sector-specific performance goals—typically cite specific comments they receive as part of a rulemaking process to support their decisions. They publish the comments they receive and explain why they agreed with some and disagreed with others on various parts of an ultimate rule, lest they be challenged in court as capricious.
On the performance goals, CISA told Nextgov the agency’s plan for keeping stakeholders engaged in a process of constantly cultivating the goals as a standard to meet is to ask for their trust.
“CISA is committed to being as transparent as possible throughout this process, which is why we plan to release a summary of the input we have received,” an agency spokesperson said.
The final cross-sector cybersecurity performance goals are now over two months overdue under the national security memo.