Senate's CISA subpoena bill adds privacy protections to DHS proposal

critical infrastructure security (Ravil Sayfullin/ 

The Senate Homeland Security and Governmental Affairs Committee is preparing to release legislation that would give the Department of Homeland Security administrative subpoena powers to obtain subscriber information for vulnerable devices and systems connected to critical infrastructure.

The Cybersecurity Vulnerability Identification and Notification Act of 2019 would allow CISA to subpoena subscriber information for enterprise devices or systems, defined as those "commonly used to perform industrial, commercial, scientific, or governmental functions or processes that relate to critical infrastructure, including operational and industrial control systems, distributed control systems, and programmable logic controllers."

Subpoenas would be issued when the director of CISA identifies internet connected systems with specific vulnerabilities, is unable to identify the entity at risk and "has reason to believe" it relates to critical infrastructure. The Senate bill, which was obtained by FCW, adds a provision not included in the original DHS proposal specifying that the authority cannot not be used for information relating to "personal devices and systems, such as consumer mobile devices, home computers, residential wireless routers, or residential Internet enabled consumer devices."

The legislation gives CISA three months after passage to develop internal procedures and associated training for employees to address "the protection of and restriction on dissemination of nonpublic information obtained through a subpoena" as well as requirements that the agency not disseminate any nonpublic information obtained through the subpoena unless the party or entity gives consent or CISA is notified of a cybersecurity incident that specifically relates to the vulnerability that led them to issue a subpoena.

CISA must also develop procedures that would require them to destroy any personally identifiable information about a subscriber within six months of obtaining it if it relates to critical infrastructure and immediately if it doesn't.

Finally, CISA would need to develop criteria for formal assessments to determine whether a subpoena is necessary prior to issuing one.

No later than six months after establishing those internal procedures, the director of CISA would make public information detailing the purposes of issued subpoenas, the subpoena process, criteria for critical infrastructure security risk assessments, policies and procedures on retention and sharing of data and guidelines for how entities contacted by CISA may respond.

The agency must also provide annual reports to the House and Senate Homeland Security Committees on the number of subpoenas issued, how effective they've been mitigating critical infrastructure security vulnerabilities and other relevant information about how they're using their new powers.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Workforce
    Former vice-president Joe Biden formally launches his 2020 presidential campaign during a rally May 18, 2019, at Eakins Oval in Philadelphia. (Matt Smith Photographer/

    Biden promises to undo Trump’s workforce policies

    Democratic candidate pledges to appropriate permanent funding to feds in case of another shutdown.

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.