CISA's final 2024 achievements include updating the NCIRP, issuing a new cybersecurity playbook, and mandating secure configuration for Microsoft 365 in federal agencies.
2024 has been a big year for the Cybersecurity and Infrastructure Security Agency (CISA). In their end of the year review, the agency shared how they worked to enhance election security, advanced their Secure by Design campaign, established AI leadership, published the Notice of Proposed Rulemaking for CIRCIA, and supported ‘target rich, cyber poor’ sectors like education, healthcare, and water and waste management. CISA dealt with cyber threats from China, Iran, and Russia, while developing global alliances, even creating their first international strategic plan. The agency also worked to secure the future of cybersecurity by trying to close the cybersecurity skills gap. Even with all these accomplishments, CISA does not seem to be slowing down as the year winds down. Just this week, CISA released a draft for their cyber incident response plan, published a guide with the Office of the National Cyber Director (ONCD), and shared a new binding operational directive.
On December 16, 2024, CISA announced the release of the 2024 draft of the National Cyber Incident Response Plan (NCIRP) and requested public comment. The plan was created in 2016 to act as the nation’s guidebook for coordinating response to significant cyber incidents, and the intention to update it was shared in October 2023. The initial aims, (Unification, Shared Responsibility, Learning from the Past, Keeping Pace with Evolutions in Cybersecurity) are being addressed, as the draft includes a track for non-federal stakeholders to be involved in the response, legal and policy changes for agency roles and responsibilities, and a reliable cycle for more NCIRP updates in the future.
The new version of the NCIRP has several key changes. Now, CISA leads asset response (as opposed to the DHS through the National Cybersecurity and Communications Integration Center (NCCIC). The plan has been consolidated, cutting down on the description of the core capabilities and instead focusing on the phases of cyber incident response operations and what should be done afterward. The 2024 version appears to be more usable than the 2016 iteration, but public opinion is still being formed. People can comment on the plan on the Federal Register until January 15, 2025.
The following day, CISA and ONCD published the Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure. The playbook serves as a guide for federal grant program managers, operators in critical infrastructure sectors, other governing organizations that award grant funds, and the recipients of these funds. The guidance is meant to help these parties integrate cybersecurity requirements into their programs, and contains recommended actions as well as a thorough set of resources for the grant recipients. There are also templates for creating a Cyber Risk Assessment and Project Cybersecurity Plan.
In addition to the playbook, CISA issued a binding operational directive (BOD 25-01) on December 17. The directive effectively orders federal departments and agencies to meet configuration baselines in their Microsoft 365 environments by June 20, 2025. BOD 25-01 aims to address recent cybersecurity incidents stemming from improper security control configurations in cloud environments. By mandating the implementation of CISA's Secure Cloud Business Applications (SCuBA) secure configuration baselines, this move should mitigate vulnerabilities and reduce the risk of compromises in federal cloud environments.
These milestones underscore CISA's work to build up cybersecurity measures and fortify critical infrastructure as we enter the new year. Even with the administration change and CISA director Jen Easterly planning to step down on Inauguration Day casting some doubt on 2025, CISA’s latest actions prove the agency is doing what it can to secure the future.