CISA hurries to release key cybersecurity reports and guidelines before the Biden administration ends and the Trump administration begins.
As the Biden Administration comes to an end, the Cybersecurity and Infrastructure Security Agency (CISA) continues to work. On January 8, 2025, Director Jen Easterly put out a blog highlighting the NACD Director’s Handbook on Cyber-Risk Oversight, a framework developed in coordination with the National Association of Corporate Directors and the Internet Security Alliance. Two days later, CISA published a Cybersecurity Performance Goals Adoption Report, and on the 14th of January, the agency worked with the Joint Cyber Defense Collaborative (JCDC) to release the AI Cybersecurity Collaboration Playbook.
The NACD Handbook on Cyber-Risk Oversight was originally published in March 2023. Still, Easterly’s blog presented the handbook as topical: “Today, given our complex, dynamic, and highly interconnected environment—an environment where nation-state adversaries are more active and capable than ever, and where the private sector is on the front lines of the cyber fight—boards and company leadership must consider the critical role they play in national security and ensuring systemic resilience.” The handbook reflects some of the “Secure by Design” principles Easterly has championed, and stresses the need for corporate leaders to be more involved in cybersecurity to make sure it isn’t “allowed to significantly lag behind innovation.”
The Cybersecurity Performance Goals Adoption Report analyzes how vulnerability exposures have changed since CISA issued some of their cybersecurity performance goals (CPGs). CPGs are a set of voluntary cybersecurity standards that are made to help smaller organizations start investing in cybersecurity by choosing basic steps with “high-impact security outcomes.” The cross-sector CPGs are aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, but the CPGs can be sector specific, like the healthcare CPGs developed last year.
The six CPGs in the report were:
1.E: Mitigating Known Vulnerabilities,
2.K: Strong and Agile Encryption,
2.M: Email Security,
2.W: No Exploitable Services on the Internet,
2.X: Limit OT Connections on the Public Internet, and
4.C: Security.txt Adoption.
According to the report, the adoption of these measures led to less exploitable services, shorter remediation times for secure sockets layer (SSL) and known exploited vulnerability tickets, and “the highest occurrence of operation technology (OT) protocols exposed to the public internet” - suggesting the CGPs are being implemented and improving national security.
CISA’s AI Cybersecurity Collaboration Playbook is just the latest guidance they’ve provided on AI systems. The agency has released a roadmap and guidelines for secure AI system development in the last few years, and the new playbook offers collaboration as an answer to the risks they’ve previously identified. The key goals are to:
- Simplify coordination among different groups to increase understanding of AI cybersecurity risks and enhance AI systems' defenses.
- Help JCDC partners learn how to share information about cybersecurity incidents and vulnerability information about AI systems.
- Define ways to protect shared information and mechanisms for sharing it.
- Explain what actions CISA will take when information is shared to boost collective defense efforts.
The speed that CISA shared these materials is likely influenced by the upcoming administration change. Jen Easterly is stepping down on President-elect Donald Trump’s inauguration day, as the secretary of the DHS is being replaced by Trump’s pick. Jack Cable, a senior technical advisor at CISA who is also stepping down, anticipates that ‘secure by design’ initiatives (like working with software developers to build cybersecurity measures into their products) will still have a place in government in the next four years: “I hope that the incoming administration can recognize that we do have a real ability to partner with the manufacturers of these edge devices,” he said. “The Trump administration has made it clear that they are going to be very active in defending against threats from the PRC [People’s Republic of China].” Drastic changes, like the new Department of Government Efficiency (DOGE) may yet limit CISA’s capabilities.
CISA is not the only government power scrambling to act - on January 16, 2025, Biden issued a lengthy executive order to strengthen national cybersecurity. It’s not clear how long it will last, but it shows that cybersecurity will likely continue to be a hot button topic under Trump.