The Business Software Alliance is raising concerns to Homeland Security Secretary Kristi Noem over guidance developed by the Cybersecurity and Infrastructure Security Agency, arguing that the agency should refocus its mission on “operational cybersecurity.”
“CISA’s core mission is to protect the federal civilian government networks (.gov), share information with private-sector partners, and support operational cybersecurity activities that protect American critical infrastructure,” BSA CEO Victoria Espinel writes in a March 6 letter to Noem.
Espinel writes, “In these operational cybersecurity roles, CISA provides a valuable resource to support industry in detecting and responding to cyber threats. BSA supports these operational cybersecurity activities.”
Victoria Espinel, CEO, The Business Software Alliance
Espinel says, “We are concerned, however, with CISA developing guidance of limited value and pressuring private sector companies to adhere to its guidance, in effect creating mandatory checklists and requirements for businesses without a transparent process. We are also concerned that CISA guidance has been duplicative of or in conflict with existing guidance from the National Institute of Standards and Technology.”
CISA should have “meaningfully engaged with industry cybersecurity experts or focused on its operational cybersecurity mission,” Espinel argues.
Espinel emphasizes that “good guidance can improve cybersecurity.” She writes, “And BSA continues to encourage efforts to improve the cybersecurity of products and services from their design through their end of life. But notably, while there are other agencies that develop guidance, there is no other civilian agency that focuses on operational cybersecurity.”
CISA has produced targeted guidance for software manufacturers through its secure by design principles and subsequent publications. The agency unveiled a secure by design pledge at the 2024 RSA conference in San Francisco signed by 68 software manufacturers who committed to achieving seven security goals.
Epsinel writes to Noem, “We recommend that you redirect CISA to its core mission of protecting the federal civilian government networks, including ensuring departments and agencies meet the same requirements the Federal Government imposes on its vendors; sharing information with private-sector partners; and supporting critical infrastructure owners and operators.
“By refocusing CISA on its core mission, you can provide a foundation for a successful CISA and a more secure nation,” according to the letter.
Noem committed to refocusing CISA’s mission at her confirmation hearing in January, where she argued that CISA should be focused on “hunt and harden.”
“CISA has gotten far off [that] mission,” Noem said. “They're using their resources in ways that [were] never intended. The misinformation and disinformation that they have stuck their toe into and meddled with should be refocused back onto what their job is. And that is to support critical infrastructure and to help our local and small businesses and critical infrastructure at the state level to have the resources and be prepared for those cyberattacks that they will face.”
CISA launched an internal review of its election efforts under CISA executive director Bridget Bean, who is currently leading the agency in an acting capacity. Following the review, the Center for Internet Security made a change on their website for the Elections Infrastructure Information Security and Analysis Center.
The page says, “Due to the termination of funding by the Department of Homeland Security, the Center for Internet Security no longer supports the EI-ISAC.”
CISA has also cut jobs as part of the Trump administration’s efforts to reduce the federal workforce.
President Trump nominated Sean Plankey to serve as the next CISA director on March 11. BSA’s Aaron Cooper praised Plankey’s nomination in a statement to Inside Cybersecurity.
BSA also unveiled its 2025 cybersecurity legislative agenda on March 10 and a blog with additional actions for the Trump administration.
The agenda provides recommendations on harmonizing cyber requirements, modernizing the federal government’s information technology, using artificial intelligence for cybersecurity and building the cyber workforce. -- Sara Friedman (sfriedman@iwpnews.com)