CISA Identifying Critical Infrastructure

Earlier this week there was an interesting article over on InfoRiskToday.com. It talked about CISA’s establishing a program to identify critical infrastructure that would need to be protected from ‘global cyberthreats’. The article quotes CISA Director Jen Easterly talking about starting efforts to figure out how to identify "primary systemically important entities.” It goes on:

“"Whether this ends up in legislation or not - and I certainly hope it does - we are already thinking through the model," Easterly said. "So we're prototyping a variety of different approaches … to try and start identifying those entities that are in fact systemically important. We're doing it based on economic centrality, network centrality, and logical dominance in national critical functions.”

NOTE: the article uses the acronymized ‘Pisces’ instead of the abbreviated ‘PSIEs’ to shorten the "primary systemically important entities”. I wonder if this is a left-handed pun about fishing expeditions?

Does CISA, in fact need new legislative authority to collect and analyze this type of data? Actually, no. While congress has frequently tried to limit CISA’s private sector information collection to voluntary efforts {for example see 6 USC 659(i)(2)(C)}, it has authorized and tasked CISA (6 USC 664) with compiling a classified national asset database of each system or asset that the Secretary determines “to be vital and the loss, interruption, incapacity, or destruction of which would have a negative or debilitating effect on the economic security, public health, or safety of the United States, any State, or any local government” { §664(a)(1)(A)}.

Furthermore, §664(a)(1)(2) requires CISA to prepare a “n a single classified prioritized list of systems and assets included in the database under paragraph [§664(a)](1) that the Secretary determines would, if destroyed or disrupted, cause national or regional catastrophic effects.” So, Easterly is already required to maintain the PSIE list referenced in the article.

In general, CISA is supposed to use the State homeland security officials to collect the data, but §664(c)(2) specifically requires CISA to “identify and evaluate methods, including the Department’s Protected Critical Infrastructure Information Program, to acquire relevant private sector information for the purpose of using that information to generate any database or list, including the database established under subsection (a)(1) and the list established under subsection (a)(2).”

Currently, CISA is only authorized to use this database to formulate its plans and policies. It has not been given any regulatory authority to mandate security requirements (including reporting) on any of the listed private sector entities. The sole exception to this is that CISA is the regulatory agency for the Chemical Facility Anti-Terrorism Standards (CFATS) program. So, CISA can set forth cybersecurity mandates for facilities covered under that program.