Critical Infrastructure Security

CISA will continue its focus on critical infrastructure security

(Adobe Stock)

COMMENTARY: Government agencies at both the state and federal levels are grappling with the challenge of modernizing and securing their infrastructure while facing tighter budgets and fewer resources than ever.

While it's a very real resource strain, especially for the staff who remain after workforce reductions, this situation isn't likely to compromise critical infrastructure protection, a very important mission of the Cybersecurity and Infrastructure Security Agency (CISA).

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

It’s something the Trump administration has explicitly prioritized, which includes collaborating with state and critical infrastructure partners to secure all 16 designated sectors vital to Americans' daily lives.

For other areas that may experience budget cuts, the federal government has fostered stronger public-private collaboration, encouraging private sector involvement through various initiatives such as working groups, GitHub discussions, and public comment periods, as evidenced by programs like FedRAMP 20x and the CISA Secure-by-Design pledge.

However, we now know that one-third of the workforce at CISA has already left the agency through voluntary buyouts, early retirement, or layoffs. To understand how CISA will navigate these complexities and reshape the national cybersecurity landscape, I break down the strategic refocusing of the agency, the increasing emphasis on public-private collaboration, and the essential implications for securing critical missions.

Realigning CISA: Streamline and refocus efforts

The administration wants to streamline CISA, eliminate duplicate positions, reduce waste, and ultimately refocus efforts and resources on crucial public-private partnerships. It's important to note that the exact scope of these cuts remains a dynamic situation. Congressional proposals for CISA budget reductions are less severe than those initially put forth by President Trump, suggesting ongoing negotiations that will likely result in a compromise.

Regardless of the shifting landscape, there's a strong belief that the focus on critical infrastructure will remain largely unaffected. The administration has been explicit in outlining areas of focus and priority, and critical infrastructure consistently ranks high on this list. This commitment includes continuing vital liaisons with state governments to strengthen infrastructure security at the state level.

Build stronger public-private partnerships

In areas where budget realignments may occur, the federal government appears to be doubling down on its reliance on public-private partnerships. FedRAMP 20x stands out as a prime example of this strategy. This program actively encourages engagement from the private sector through avenues like working groups dedicated to setting standards, GitHub discussion groups for collaborative problem-solving, and public comment periods on new standards. It's anticipated that CISA will continue to pursue a similar collaborative path to ensure it leverages expertise, research, and intel from the private sector.

CISA also continues to support its Secure-by-Design principles. These principles encompass crucial security practices such as enabling multi-factor authentication (MFA), reducing default passwords, and proactively eliminating certain types of vulnerabilities from their products and services. By offering these guardrails for organizations to abide by, the government has armed the private sector with guidance versus expecting them to navigate this uncharted territory alone. I expect this to continue, especially as we watch regulations and guidance around AI come from the government.

How to secure agencies in a new era

Given the prevailing strain on resources, agencies should prioritize tools that offer comprehensive cloud-agnostic security coverage. It’s the reality in which organizations operate today. These tools must offer precise risk scoring based on asset context and identified attack paths, and critically, integrate workflows across various functions, including compliance. It’s essential to embrace such holistic approaches to ensure the continuity and integrity of their missions.

Despite initial concerns, the impact of these changes may not be as severe as first anticipated. We've already seen significant positive momentum from initiatives like the CISA Secure-by-Design pledge and FedRAMP 20x, demonstrating the effectiveness of strong public-private partnerships. It's unlikely that any political group would support cutting vital resources for our cybersecurity infrastructure.

 In the end, the budget adjustments are expected to land in a middle ground, allowing agencies to continue their essential mission of guiding the private sector forward during times of change and innovation.

Tim Chase, principal technical evangelist, Orca Security

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Tim Chase

Tim Chase has been working in information security for over 20 years in many different roles, including leading security teams focusing on Cloud and AppSec. He has extensive experience working at the Board and Executive level to promote security and guide decision making. Over the last few years, he has been focusing his efforts on DevSecOps and the intersection of AppSec, DevOps, and Cloud. He has presented at multiple conferences on this topic, including RSA and ISSA InfoSec. In addition to this, he is a LinkedIn Training author where he has training to help build DevSecOps into the development pipeline.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds