The Cybersecurity and Infrastructure Security Agency is continuing its fast evolution as a standalone department, with CISA set to get its own procurement authority this month.
“We have some exciting news — our component acquisition executive gets initial procurement authority early July,” CISA Chief Information Officer Robert Costello said during an event hosted by the Homeland Security Defense Forum last week. “That’s a huge, huge deal.”
CISA will have its own contract specialists, Costello said. Currently, CISA relies on outside entities, including the Office of Procurement Operations at Department of Homeland Security headquarters, to carry out its procurement needs.
David Patrick is currently CISA’s chief acquisition executive, according to the agency’s website. Prior to CISA, Patrick served in various leadership roles in acquisition offices at Immigration and Customs Enforcement, DHS headquarters, and U.S. Customs and Border Protection.
Patrick is “leading the realignment of CISA acquisition and procurement activities and the transformation of the Office of the Chief Acquisition Executive,” CISA’s website states.
As one of the newest federal standalone agencies, CISA is still building out management and support operations that other agencies may take for granted. CISA was established as a standalone operational component of DHS in 2018, having previously been the National Protection and Programs Directorate at DHS headquarters.
“There’s a lot of work to do internally just on our own identity and culture,” Costello said. “Now we’re a component of equal rank to [the Transportation Security Administration] or CBP, so we’re developing our own culture here as well.”
CISA procurement plans
CISA is requesting $6.2 million in fiscal 2023 for 50 positions, including 25 full-time equivalents, to establish and build out a procurement team within the Office of the Chief Acquisition executive, budget documents show.
“As a new agency, CISA does not currently have the internal procurement operations and support functions to effectively and efficiently support CISA’s growing and rapidly changing cybersecurity, infrastructure, emergency communications, risk management, stakeholder engagement, and other missions,” the documents state.
The new team will help CISA streamline and improve its procurement planning and execution by working more closely with other CISA divisions and programs, the justification documents continue.
Other goals include “identifying and utilizing existing contractual flexibilities and methodologies to best meet end-user needs in a rapidly changing environment,” as well as partnering more closely with industry through outreach events.
“A CISA procurement activity will operate as a full business partner and serve as a strategic asset dedicated to improving the agency’s overall business performance,” the documents state.
Costello joined CISA last year. He has experience at much larger IT divisions in other DHS components, though, including ICE and CBP.
At the cyber agency, Costello said he gets to be more “hands on” as CIO of a relatively new standalone component.
“There have been days where I’m handing out laptops or configuring stuff,” he said during last week’s event.
The CIO’s office has a staff of about 90 people, Costello said. A priority for the coming year, he said, is expanding support to CISA’s growing field operations, including statewide cybersecurity directors, chemical security advisors, and regional directors.
“I’m starting to embed my folks out in the field and provide improved services out there so that they have the same level of technology as we do here at headquarters,” Costello said.
CISA has seen a rapid growth in recent years as both the Biden administration and Congress have looked to the agency to respond to cybersecurity threats in particular. The agency has taken on a lead role in the cybersecurity of the federal civilian executive branch. It’s also working more closely with private industry to combat cyber threats to critical infrastructure.
Costello said his role CIO is to support those growing functions with up-to-date technology. Still, he said the CIO organization at CISA is still a work in progress.
“We’re definitely maturing a lot of our processes, building a component CIO office,” he said. “I really do think it’s going to take a few years to kind of get to the same level of say, an ICE or CBP, where we’re doing all those functions ourselves. And so in some areas, maybe I’ve slowed down some work because we’re not quite there at that maturity level as we stabilize other areas.”
With CISA looking to attract top cybersecurity talent, Costello said the agency needs to use the most up-to-date technology. He said a big focus for him has been supporting different devices, including Macs and Androids, he said. In December, for example, CISA began using Slack for internal collaboration.
“We really need to be a place where people want to come to work for the tech,” Costello said.
Costello is also aiming to set the bar high when it comes to federal cybersecurity by ensuring CISA’s internal security complies with the agency’s mandates and guidance in areas like zero trust architectures.
A big focus for CISA’s internal security developments is identity, credential and access management (ICAM), an area in which Costello said the agency is currently “lacking.” But at the same time, the CIO said he has the advantage of being able to build new, “green field” solutions rather than needing to update an extensive legacy IT environment.
“I had some goals in mind this year,” Costello said. “We met a lot of them. Some of them are going to slip, and that’s okay, because I want to build a really strong foundation that CISA can build on for a decade. And so I’d rather take a six month slip on a project than build a really poor foundation. So that’s what we’re concentrating on: identity, monitoring systems, and building our people and in teams up, deciding what the federal-to-contractor makeup is going to look like, and what skill sets that we need.”