CISA subpoena bill set to land

eye behind data (Titima Ongkantong/ 

The Senate Homeland Security and Governmental Affairs Committee is expected to unveil legislation Thursday that would give the Department of Homeland Security's cyber agency the power to issue administrative subpoenas to Internet Service Providers for subscriber information related to critical infrastructure IT, according to an individual familiar with the matter.

The draft bill, which FCW has not seen, is based off a legislative proposal submitted to Congress by the Cybersecurity and Infrastructure Security Agency earlier this summer. That document had draft legislative language that would have expanded the mission of the National Cybersecurity and Communications Integration Center to include "detecting, identifying and receiving information about security vulnerabilities in the information systems and devices of federal and non-federal entities" as well as notifying owners and operators that they are at risk.

According to the source, who was not authorized to speak on the record, the committee's legislation will make a number of changes from the version provided by DHS, including narrowing the scope of the authorities to apply only to subscriber information for critical infrastructure entities and only for cybersecurity purposes. There will also be added provisions around data retention.

In selling the idea to Congress and the public, CISA Director Chris Krebs and other officials have said the agency would only issue such subpoenas to contact owners of critical infrastructure. According to the DHS proposal, there are tens of thousands of Industrial Control System devices open to the internet identified by websites like Shodan and internal CISA monitoring, and "we know from experience and current threat reporting that these vulnerable entities are of keen interest to attackers."

The subscriber information sought by CISA includes the name, address, length and type of service utilized and telephone number for the owners of any connected enterprise devices and systems, which the agency's proposal defined as "any system or device commonly used to perform industrial, commercial, scientific or governmental functions or processes."

When DHS' plan was first reported in the media, CISA encountered a wave of questions from Congress and privacy and civil liberties groups concerned about overreach, abuse. Outgoing Assistant Director for Cybersecurity and Communications gave FCW a statement in October saying the agency would work with Congress to address outstanding concerns.

"We will work with Congress to ensure this authority is narrowly tailored and appropriate safeguards are in place," Manfra said.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected