The federal Cybersecurity and Infrastructure Security Agency (CISA) is the federal government’s newest agency, its Region 9 Director David Rosado told attendees at the California Cybersecurity Education Summit, hosted by Government Technology magazine* in Sacramento. It’s an “operational component” of the federal Department of Homeland Security (DHS), per its website; Region 9 covers Arizona, California, Hawaii, Nevada, the territories of American Samoa and Guam, and the Commonwealth of the Northern Mariana Islands. Signed into law by the president on Nov. 16, 2018, as part of the Cybersecurity and Infrastructure Security Agency Act of 2018, CISA works to “secure and make resilient our critical infrastructure, including physical and cyber,” Rosado told more than 100 attendees, and it seeks to “understand, manage, and reduce risks.” Among the takeaways:
- As part of its commitment to work with other entities, CISA has established the State and Local Cybersecurity Grant Program (SLCGP), Rosado told those assembled, indicating: “This is something we’re really excited about as well, as an agency. This is the first-of-its-kind cyber grant for state and local tribal partners.” The SLCGP is “specifically for state, local, and territorial (SLT) governments across the country,” per CISA’s website, which indicates “funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems” that are owned or operated by or on behalf of “state, local and territorial governments.” Via two Notice of Funding Opportunities, SLCGP and TCGP “will distribute $1 billion over four years to support projects throughout the performance period of up to four years,” the website said, noting this year, “the TCGP will be released after SLCGP.” The first year of the program, Rosado said, comprises “about $185 million.” California, he added, is “well prepared, is already moving forward on this initiative.” Its objectives are to ensure the cyber postures of state and local governments improve; that they understand what their postures are; that they write new policies and test them; and train their workforce.
- The federal government doesn’t always do a good job of smoothing its lengthy security processes during hiring, Rosado said during the event Oct. 20, but DHS’ Cyber Talent Management System (CTMS) is specifically for cybersecurity and is “where we can directly hire folks based on their qualifications.” A federal personnel system that connects to the DHS Cybersecurity Service, CTMS is aimed at modernizing federal hiring, per its website. In “streamlined hiring processes,” applicants do customized, skill-based applications that eliminate unnecessary steps, and take part in “competency-based assessments, including real-world simulations, to demonstrate their ability to perform cybersecurity-related work.” Salaries are competitive and driven by “employees’ impact on the DHS cybersecurity mission,” and staffers have access to “regular training and professional development” aimed at helping them refine specialized skills.
- Among CISA’s initiatives, the regional director said, is the Joint Cyber Defense Collaborative, which aims to collaborate with the “top companies in the country, in the banking sector, in the tech sector, in the finance sector.” Per its website, JCDC acknowledges that “no one entity can secure cyberspace alone.” JCDC strives to “unify cyber defenders from organizations worldwide,” creating a “diverse team (that) proactively gathers, analyzes, and shares actionable cyber risk information to enable synchronized, holistic cybersecurity planning, cyber defense, and response.” When a vulnerability is identified, Rosado said, the companies that are part of JCDC will go to work and when a patch, update or way to solve the vulnerability is identified, “then we will share it through all of their networks and just get it out there as soon as possible.”
“This is how you operationalize collaboration,” he said. “It’s a wonderful initiative.” - The regional director offered several best practices that governments can use to “reduce the attack surfaces inside”: First, enable multifactor authentication. Second, use strong passwords that are different for every use case. Ensure that your workforce is trained on cybersecurity matters both complex and simple. And last but surely not least, regularly update your software.
*Government Technology magazine is a publication of e.Republic, which also produces Industry Insider — California.
