Government , Industry Specific , Standards, Regulations & Compliance

CISA Planning JCDC Overhaul as Experts Criticize Slow Start

Top US Cyber Defense Agency Aims to Revamp Its Key Public-Private Collaborative
CISA Planning JCDC Overhaul as Experts Criticize Slow Start
The U.S. Cybersecurity and Infrastructure Security Agency heard that the Joint Cyber Defense Collaborative needs improvement. (Image: CISA)

The top U.S. cyber defense agency may overhaul its flagship public-private partnership as experts say the initiative is floundering due to unclear membership rules and participation hurdles.

See Also: Making Sense of FedRAMP and StateRAMP

The Cybersecurity and Infrastructure Security Agency heard recommendations for the Joint Cyber Defense Collaborative approved Wednesday by the agency's Cybersecurity Advisory Committee. The recommendations urge CISA to deepen the JCDC's focus on operational collaboration and clarify key operational components, such as criteria for membership and participation in physical spaces.

The JCDC was established in 2021 to coalesce the development of best practices across industries and serve as a resource for organizations involved in public policy. CISA said JCDC "has achieved significant milestones" but acknowledged in a draft report released Wednesday that the collaborative still "remains in an early stage" nearly three years later.

"I am excited about the recommendations discussed today and look forward to reviewing them,” CISA Director Jen Easterly said at the meeting Wednesday. “I know they are thoughtful and innovative ideas that align with CISA's priorities and mission."

CISA has accepted or partially accepted virtually all of the advisory committee's last set of recommendations. CISA's established the committee in June 2021 to provide strategic advice; it consists of 23 leading cybersecurity, technology and risk management experts. The agency did not immediately respond to a request for comment as to whether it plans to adopt the JCDC recommendations.

CISA has struggled to clearly detail who can be a member of the JCDC - and what being a JCDC partner even means - from its very inception, said Ari Schwartz, coordinator of the Center for Cybersecurity Policy and Law and former senior director of cybersecurity for the National Security Council.

"This issue has improved over time but it did cause them to have a very slow start," Schwartz told ISMG. "I think it is fair to say that they've had a few hits and a bunch of misses so far."

The JCDC includes 321 partner organizations across 12 critical infrastructure sectors and has developed security guidance for a range of industries, including a foundation for pipeline owners and operators to guide their investment, planning and operations in securing networks and mitigating cyberattacks. JCDC also provided support and information sharing during the fallout from the Log4Shell vulnerability, according to the federal Cyber Safety Review Board, and in mitigating and preparing for cyberattacks associated with Russia's invasion of Ukraine.

But the JCDC suffers from mission uncertainty, unclear membership requirements and the lack of a platform to enhance collaboration on the wide variety of tasks the collaborative was established to undertake, said Michael Daniel, president of the Cyber Threat Alliance.

"CISA should publicly define the membership criteria," Daniel told Information Security Media Group. "These criteria might indicate different levels of membership or differing levels of participation, depending on the scenario."

Daniel suggested that the JCDC issue a two-page quarterly report "written in plain English" on its activities, including a general rundown of how the collaborative "is actively contributing to and improving our cybersecurity."

CISA's Cybersecurity Advisory Committee said the JCDC should eventually reach a maturity state where its membership criteria is clear not just to current participants but to others interested in potentially joining the collaborative. The committee also said the JCDC "will have an enhanced ability to respond to active issues while proactively preparing for future issues."


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.