CISA promises bespoke cyber advice for agencies

The Cybersecurity and Infrastructure Security Agency is building out a new engagement arm, called the Federal Enterprise Improvement Team, meant to help government agencies navigate cybersecurity requirements.

The goal is to work with agencies to create cyber roadmaps with discrete action items using existing metrics CISA has on agencies, input from agencies themselves and the landscape of governmentwide cyber mandates that agencies are navigating, said FEIT director Doc McConnell at FCW's CDM Summit on Wednesday. 

The team started with one employee in October 2021 with money from the American Rescue Plan Act. Now, the team size is in the double digits, said McConnell. CISA asked for $11.6 million for FEIT in its 2023 budget request. 

The unit is focused on establishing relationships with leadership at the largest federal agencies (those under the Chief Financial Officers Act). Some chief information security officers have already met with CISA, and others should expect to hear from the FEIT soon, said McConnell. 

The team’s director said that the FEIT is currently concentrating on five operational risk areas: asset visibility and management; enterprise vulnerability management; defensible architecture and network hygiene; incident management and response; and cyber supply chain risk management.

FEIT stands apart from other parts of CISA in that it’s focused on the federal government specifically, as opposed to the private sector. 

The new team came out of an awareness that agencies need additional support, said McConnell.

“It is really, really hard to be a federal agency trying to manage a cybersecurity program today. The requirements keep mounting. They are all hard. They are all fast,” he said. “Even as CISA continues to expand and stand up new programs and services to support the agencies, we've realized that one thing that was missing was having that dedicated, ongoing link back to the agencies.”

In addition to the advisory services FEIT is offering, the FEIT is also meant to ensure that agencies are connected to “that full suite of CISA support” – including shared services and more technical assistance – and serve as a “single, dedicated point of contact” for agencies, said McConnell.

The unit will also be on the lookout for common challenges across agencies.

“We're also constantly going to be looking for ways to build a solution for one agency and then adapt that solution to be more broadly applicable,” said McConnell.

Speaking about what CISA offers with the FEIT in the current landscape already busy with existing mandates and goalposts for agencies, McConnell said, “my team can bring our perspective, our analysis of the data that CISA has already collected, to help inform the agency's understanding of their own risk within the broader context of the federal enterprise.”

“Everybody can read that OMB memo that says, ‘Here are the things that everybody's supposed to do,’” said McConnell. “But really working with the executive leadership and an agency … to lay out, here's some specific, incremental steps that you can take that we know are going to be relevant to your environment and your challenges, that are going to get you closer to meeting that cybersecurity mandate – that’s the kind of strategic planning support and prioritization help that CISA can offer.”