Cybersecurity and Infrastructure Security Agency: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation

" Metrics.-If the Secretary works with a consortium under subsection , the Secretary shall measure the effectiveness of the activities undertaken by the consortium under this Act. " The participation in such consortium of one or more historically Black colleges and universities, Hispanic-serving institutions, Tribal Colleges and Universities, other minority-serving institutions, and community colleges that participate in the National Centers of Excellence in Cybersecurity program, as carried out by the Department Agency Cybersecurity of Homeland Security. Conducting a privacy impact assessment of proposed rules of the Agency on the privacy of personal information, including the type of personal information collected and the number of people affected. Analysts under this subsection shall possess security clearances appropriate for their work under this section. To ensure that any material received pursuant to this chapter is protected from unauthorized disclosure and handled and used only for the performance of official duties.

It is also noted that, like any other Covered Entity, an insurance company may also be a Third Party Service Provider and/or Authorized User with respect to another Covered Entity, including an independent insurance agent. For purposes of this subsection, “external audit” means an audit that is conducted by an entity other than the state agency that is the subject of the audit. The date on which the state agency most recently backed up its data; the physical location of the backup, if the backup was affected; and if the backup was created using cloud computing.

Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of 23 NYCRR 500.5. Effective March 1, 2017, the Superintendent of Financial Services promulgated23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies (referred to below as “the Cybersecurity Regulation” or “Part 500”).

To implement the requirements of the Cybersecurity and Infrastructure Security Agency Act of 2018, CISA leadership within the Department of Homeland Security launched an organizational transformation initiative. The act elevated CISA to agency status; prescribed changes to its structure, including mandating that it have separate divisions on cybersecurity, infrastructure security, and emergency communications; and assigned specific responsibilities to the agency. (See figure 1 below.) CISA completed the first two of three phases of its organizational transformation initiative, which resulted in, among other things, a new organization chart, consolidation of multiple incident response centers, and consolidation of points of contact for infrastructure security stakeholders. The voluntary NIST Cybersecurity Framework provides standards, guidelines and best practices to manage cybersecurity risk. It focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Executive Order signed by President Biden in May 2021 focuses on improving software supply chain security by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.

DFS plans to extend the new cybersecurity supervision tools to all regulated entities in 2022. The Department believes that analysis of unsuccessful threats is critically important to the ongoing development and improvement of cybersecurity programs, and Covered Entities are encouraged to continually develop their threat assessment programs. Notice of the especially serious unsuccessful attacks may be useful to the Department in carrying out its broader supervisory responsibilities, and the knowledge shared through such notice can be used to timely improve cybersecurity generally across the industries regulated by the Department.

Bridget Beans leads the Integrated Operations Division for the Cybersecurity and Infrastructure Security Agency . IOD focuses integrated operations across the Agency extending to Regional CISA elements, intelligence, operational planning and mission execution with focus on risk mitigation and response efforts. Ms. Easterly was nominated by President Biden in April 2021 and unanimously confirmed by the Senate on July 12, 2021.