CISA subpoena bill set to land

eye behind data (Titima Ongkantong/ 

The Senate Homeland Security and Governmental Affairs Committee is expected to unveil legislation Thursday that would give the Department of Homeland Security's cyber agency the power to issue administrative subpoenas to Internet Service Providers for subscriber information related to critical infrastructure IT, according to an individual familiar with the matter.

The draft bill, which FCW has not seen, is based off a legislative proposal submitted to Congress by the Cybersecurity and Infrastructure Security Agency earlier this summer. That document had draft legislative language that would have expanded the mission of the National Cybersecurity and Communications Integration Center to include "detecting, identifying and receiving information about security vulnerabilities in the information systems and devices of federal and non-federal entities" as well as notifying owners and operators that they are at risk.

According to the source, who was not authorized to speak on the record, the committee's legislation will make a number of changes from the version provided by DHS, including narrowing the scope of the authorities to apply only to subscriber information for critical infrastructure entities and only for cybersecurity purposes. There will also be added provisions around data retention.

In selling the idea to Congress and the public, CISA Director Chris Krebs and other officials have said the agency would only issue such subpoenas to contact owners of critical infrastructure. According to the DHS proposal, there are tens of thousands of Industrial Control System devices open to the internet identified by websites like Shodan and internal CISA monitoring, and "we know from experience and current threat reporting that these vulnerable entities are of keen interest to attackers."

The subscriber information sought by CISA includes the name, address, length and type of service utilized and telephone number for the owners of any connected enterprise devices and systems, which the agency's proposal defined as "any system or device commonly used to perform industrial, commercial, scientific or governmental functions or processes."

When DHS' plan was first reported in the media, CISA encountered a wave of questions from Congress and privacy and civil liberties groups concerned about overreach, abuse. Outgoing Assistant Director for Cybersecurity and Communications gave FCW a statement in October saying the agency would work with Congress to address outstanding concerns.

"We will work with Congress to ensure this authority is narrowly tailored and appropriate safeguards are in place," Manfra said.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Workforce
    online collaboration (elenabsl/

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

Stay Connected