The Cybersecurity and Infrastructure Security Agency is marking out an ambitious vision to lead federal cyber defense and critical infrastructure resilience efforts in its latest strategy, including a major focus on “agency unification” and workforce engagement.
CISA released its 2023-2025 strategic plan today. The document sketches out four major goals to spearhead national cyber defense efforts, reduce risks to and strengthen resilience of critical infrastructure, strengthen operational collaboration and information sharing, and unify as “One CISA.”
The plan comes as CISA has received increased funding and bipartisan support from Congress in recent years, especially in the aftermath of cyber attacks like the SolarWinds campaign and the Colonial Pipeline ransomware shutdown.
Chris Cummiskey, former Department of Homeland Security undersecretary for management, says the plan gives lawmakers more to consider when appropriating money for the cyber-focused agency.
“Something will pop up and then money will be appropriated from Congress, because they’re reacting to what they’re seeing, like with Solarwinds,” Cummiskey said. “But having a document like this in place will help project a clear message to Congress that if you’re going to make investments, these are the kinds of places that makes the most sense, and then it’s really a question of execution within CISA to get the job done.”
It’s the first plan the agency has released since it was spun out of the Department of Homeland Security’s National Protection and Programs Directorate in 2018.
“We’re built off the back of a staff element,” CISA Director Jen Easterly said at least week’s Billington Cybersecurity Summit. “We’re now a full grown operational component. And we absolutely need to build a unified agency that is grounded in the culture that we are building, the core principles and our core values of collaboration, innovation, service to the nation, and accountability to the American people.”
The “agency unification” goal includes an objective to strengthen and integrate CISA’s management functions, including how it prioritizes funding. The agency’s major programs include the Continuous Diagnostics and Mitigation (CDM) that provides agencies with cybersecurity tools and dashboards, as well as the EINSTEIN intrusion protection and detection system, among others.
“We will better integrate the Planning, Programing, Budgeting, Execution, and Evaluation (PPBEE) process into CISA governance processes and decisions to continue to be good stewards of public funds, provide effective internal controls for essential operational functions (e.g., payroll, invoicing, etc.), and support wise investment decisions,” the plan states.
Cummiskey also pointed to how CISA recently received procurement authority. The agency is set to hire up to 50 contracting professionals over the next year.
“That is a really big deal in terms of maturing your business processes, having an acquisition and procurement lifecycle that you adhere to for all of your major investments,” Cummiskey said. “And so those things working in tandem can be very powerful and advancing their maturity.”
CISA is also focused on cultivating and growing a “high-performing workforce,” the plan says, to attract and retain the “most talented cyber and infrastructure defenders.”
The strategic plan highlights DHS’s new Cyber Talent Management System, a new personnel system instituted last year intended to make it easier for CISA and other Homeland Security agencies to compete with the private sector for people with cyber qualifications.
“We will implement a world-class talent ecosystem that spans recruiting, hiring, training, recognition, advancement, retention, and succession planning,” the plan states. “To prevent future shortages that threaten our ability to compete, we will proactively seek, identify, and foster prospective talent from non-traditional places.”
It also homes in on retention efforts at the growing agency.
“To foster employee retention, we must ensure equal access to professional development and educational opportunities for employees and leaders at all levels,” the plan states. “We will deepen our mentoring and coaching programs across the organization, while rewarding exceptional CISA performers.”
Workplace culture is also a major focus of the strategic plan and its concept of “One CISA.”
“We will prioritize an environment of psychological safety where people can be their authentic selves; where they feel cared for, supported, empowered, and always treated with dignity and respect; where they feel a sense of ownership for mission; and where accountability and responsibility are welcome,” the plan states. “We will prioritize wellness and resilience across our agency by systematically mitigating burnout and providing access to mental health resources.”
Cummiskey said recruiting and retaining cyber talent has been a long-term challenge at DHS, pointing out that it doesn’t just compete with the private sector, but also other federal entities like the National Security Agency and U.S. Cyber Command.
“You’re constantly working against that wave,” he said. “And so I think CISA has done a good job since becoming its own agency of being able to differentiate itself and say, ‘Look, come spend two years here with us. And then you can go on to do something else.’ But DHS is a good place to start along that path.”