The Cybersecurity and Infrastructure Security Agency (CISA) is a United States federal agency within the Department of Homeland Security (DHS), established on November 16, 2018, through the Cybersecurity and Infrastructure Security Agency Act of 2018, which elevated and reorganized DHS's cybersecurity and infrastructure protection components previously under the National Protection and Programs Directorate.[1][2][3] CISA's core mandate involves leading efforts to understand, manage, and reduce risks to the nation's cyber and physical infrastructure, including critical sectors such as energy, water, transportation, and communications, by coordinating with federal, state, local, tribal, territorial governments, and private sector partners.[4][5][6]CISA executes its responsibilities through divisions focused on cybersecurity operations, infrastructure protection, and emergency communications, providing threat intelligence, vulnerability assessments, incident response, and resilience-building initiatives like the Joint Cyber Defense Collaborative (JCDC) for global threat sharing and programs such as StopRansomware.gov to combat ransomware attacks.[7][8] Notable achievements include annual risk reduction efforts, such as issuing guidance on secure software development, expanding international partnerships for threat mitigation, and conducting training like the Federal Cyber Defense Skilling Academy to enhance workforce capabilities in defending against evolving cyber threats.[9][10]Under initial director Christopher Krebs (2018–2020), CISA emphasized election infrastructure security, but his tenure ended with dismissal by President Trump amid disputes over 2020 election integrity assessments.[11] Subsequent leadership, including Director Jen Easterly, has overseen expanded operations, yet the agency has faced significant scrutiny for alleged overreach, including facilitating censorship of social media content on topics like the COVID-19 origins and Hunter Biden's laptop through partnerships with tech firms and disinformation monitoring systems, as detailed in congressional investigations revealing attempts to obscure these activities.[12][13][14] These controversies highlight tensions between CISA's protective mission and concerns over First Amendment implications, prompting calls for stricter oversight of its information-sharing and influence operations.[12]
Establishment and Legislative History
Pre-CISA Entities and Foundations
The Homeland Security Act of 2002, enacted on November 25, established the Department of Homeland Security (DHS) and directed it to identify, prioritize, and protect critical infrastructure from terrorist attacks, including through the designation of a dedicated critical infrastructure protection program and safeguards for voluntarily shared infrastructure information.[15] These provisions responded to post-9/11 assessments revealing concentrated vulnerabilities in sectors like energy, transportation, and communications, where disruptions could cascade into widespread economic and public safety impacts, necessitating federal coordination with state, local, and private entities without supplanting their primary responsibilities.[15]Early cyber-specific efforts emerged in June 2003 with DHS's creation of the National Cyber Security Division (NCSD) under the Information Analysis and Infrastructure Protection Directorate, tasked with securing cyberspace, incident response, and vulnerability mitigation across government and critical sectors.[16][17] NCSD facilitated the launch of the U.S. Computer Emergency Readiness Team (US-CERT) later that year to monitor threats, analyze intrusions, and disseminate alerts, addressing empirical evidence of growing intrusions like state-linked espionage campaigns targeting U.S. networks.[18] This division integrated cyber risks into broader infrastructure safeguards, recognizing that digital interdependencies amplified physical threats, as seen in early incidents exposing unpatched systems and weak perimeter defenses.The 2007 cyberattacks on Estonia, involving sustained distributed denial-of-service operations from April to May that overwhelmed government, banking, and media websites—causing temporary outages and economic losses estimated at millions—highlighted the feasibility of state-sponsored cyber actions to impair national functions without kinetic force.[19] Attributed to Russian actors amid political tensions, these events demonstrated causal pathways from network floods to service denials, prompting U.S. policymakers to reassess domestic coordination gaps, as similar tactics could exploit American infrastructure's higher digitization.[20] Concurrent U.S. exposures, including persistent advanced persistent threats, underscored the limits of siloed agency responses, driving structural reforms.In 2007, amid DHS's post-Hurricane Katrina reorganization to streamline risk management, the National Protection and Programs Directorate (NPPD) was formed to consolidate infrastructure protection, cybersecurity, and resilience under a unified framework, absorbing NCSD functions and establishing dedicated offices for cyber communications and physical asset safeguards.[21][22] NPPD prioritized empirical risk assessments, private-sector partnerships for information sharing, and limited federal interventions focused on high-impact threats, avoiding expansive mandates that could duplicate commercial capabilities or incentivize over-reliance on government.[23] This directorate's emphasis on coordinated, non-bureaucratic oversight—evaluating over 16 critical sectors for interdependent risks—directly informed CISA's later architecture, emphasizing voluntary collaboration over top-down control.[21]
Creation via the 2018 Act
The Cybersecurity and Infrastructure Security Agency Act of 2018 (H.R. 3359) was signed into law by President Donald Trump on November 16, 2018, establishing CISA as a standalone agency within the Department of Homeland Security.[2][24] The legislation restructured the existing National Protection and Programs Directorate by elevating its cybersecurity and infrastructure protection components into an operational entity designed to prioritize rapid response to evolving digital and hybrid threats.[3][1] This reorganization aimed to centralize expertise and resources, addressing fragmentation in prior arrangements where cyber functions were subsumed under broader homeland security duties.[25]The act's rationale stemmed from empirical evidence of cyber vulnerabilities' capacity to inflict widespread disruption equivalent to physical attacks, as demonstrated by incidents like the 2017 Equifax data breach, which exposed sensitive information of approximately 147 million Americans due to unpatched software flaws exploited by attackers.[26][27] Lawmakers cited such events to underscore the need for a dedicated agency to mitigate risks to critical infrastructure, where digital compromises could cascade into kinetic-like effects on power grids, transportation, and financial systems.[3] Bipartisan congressional backing reflected a consensus on treating cyber defense as a core national security priority, with the House passing the bill 418-0 in April 2018 and the Senate approving it unanimously in September 2018.Core provisions directed CISA to coordinate information sharing among government, private sector, and international partners, including through established sector-specific Information Sharing and Analysis Centers (ISACs); perform regular vulnerability and risk assessments for federal networks and critical infrastructure; reassign the authority to create and deploy the National Emergency Technology Guard (NET Guard) to the CISA Director; and promulgate frameworks for managing cyber risks without authorizing expansive new domestic surveillance capabilities.[24][28][29] These measures emphasized defensive coordination and voluntary private-sector engagement over mandatory data collection, constraining the agency's initial scope to protective functions amid concerns over potential mission creep.[30]
Post-Establishment Reforms and Expansions
Following the SolarWinds supply chain compromise discovered in December 2020, which affected multiple federal agencies and highlighted vulnerabilities in software development and deployment, the Cybersecurity and Infrastructure Security Agency (CISA) implemented immediate mitigations through Emergency Directive 21-01, mandating federal civilian executive branch agencies to disconnect or power down compromised Orion software products and conduct enhanced threat hunting. This incident, attributed to a Russian nation-state actor, exposed coordination gaps between CISA and other entities, prompting administrative enhancements in threat sharing and visibility into federal networks during 2020-2022.[31] In response, President Biden issued Executive Order 14028 on May 12, 2021, which expanded CISA's mandate to oversee federal adoption of zero-trust architectures, software bill of materials for supply chain risk management, and cybersecurity performance goals, directly addressing empirical deficiencies in incident response and vendor accountability revealed by SolarWinds.[32] These reforms filled real coordination voids, as evidenced by subsequent improvements in federal logging and endpoint detection, but also broadened CISA's purview toward proactive federal system hardening, potentially straining resources originally focused on critical infrastructure advisories.[33]Fiscal expansions accompanied these operational shifts, with CISA's enacted budget rising from approximately $2.0 billion in FY2022 to $2.7 billion in FY2024, reflecting congressional recognition of escalating ransomware incidents—such as the 2021 Colonial Pipeline attack—and persistent nation-state intrusions amid geopolitical tensions like the Russia-Ukraine conflict.[34] The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) further institutionalized expansions by requiring covered entities to report ransomware and significant cyber incidents to CISA within 72 hours, enhancing the agency's data collection for threat analysis but introducing regulatory burdens that some industry stakeholders argued could divert attention from core technical defenses.[35] Structural tweaks, including the integration of artificial intelligence via the 2023-2024 CISA Roadmap for AI released in November 2023, aimed to leverage AI for anomaly detection and red teaming against emerging threats, aligning with observed increases in AI-enabled attacks by nation-state actors.[36] While these measures causally mitigated specific gaps—such as delayed visibility into supply chains—they risked diluting CISA's foundational emphasis on infrastructure-specific cybersecurity by incorporating broader AI governance and non-technical resilience planning, as critiqued in oversight reports noting staffing shortfalls despite budget growth.[33]Such reforms responded to quantifiable threat evolutions, including a tripling of reported ransomware victims from 2020 to 2022 per FBI data, yet introduced potentials for mission expansion into areas like election security coordination, which, while addressing hybrid threats, prompted concerns over scope creep without corresponding accountability mechanisms.[37] Independent audits affirmed that while enhancements bolstered defenses against state-sponsored intrusions, unchecked administrative layering could undermine operational agility, underscoring the tension between adaptive growth and preserved technical focus.[31]
Mission, Mandate, and Responsibilities
Cybersecurity Core Functions
The Cybersecurity and Infrastructure Security Agency (CISA) leads federal civilian cybersecurity efforts by providing a common baseline of security across the Federal Civilian Executive Branch (FCEB), including risk management support and coordination to mitigate cyber threats to government networks.[38] This role encompasses deploying detective and preventative technologies, sharing analyzed threat information with other federal agencies, and coordinating training for personnel to enhance response capabilities.[39] CISA's Cybersecurity Division specifically focuses on reducing the prevalence and impact of cyber incidents through services such as guidance on secure configurations and capabilities for vulnerability identification.[40]A key function involves vulnerability scanning and cyber hygiene services, which continuously monitor internet-accessible assets for known vulnerabilities and weak configurations to minimize attack surfaces for federal agencies and critical infrastructure entities.[41] These no-cost services, offered in partnership with entities like the Department of Justice for specialized scanning of databases, operating systems, and endpoints, enable ongoing assessments to detect exploitable weaknesses.[42] For instance, CISA's scanning evaluates public IPv4 addresses against common vulnerabilities, providing reports that support remediation efforts aligned with empirical risk reduction.[43]CISA coordinates national cyber incident response under the National Cyber Incident Response Plan (NCIRP), a framework established in 2016 and updated periodically to outline whole-of-nation approaches for significant incidents affecting national security or the economy.[44] As the lead for federal coordination, CISA disseminates alerts and facilitates private sector, state, and local involvement in mitigation, emphasizing scalable responses to exploits like supply chain compromises.[45] This includes issuing emergency directives, such as those following the December 2020 SolarWinds Orion exploitation, where CISA alerted on active threats in versions 2019.4 HF 5 through 2020.2.1 HF 1 and provided supplemental guidance for remediation.[46][47]Threat intelligence sharing forms another core duty, with CISA coordinating through sector-specific Information Sharing and Analysis Centers (ISACs) and Analysis Organizations (ISAOs) to exchange indicators of compromise and defensive measures.[28] This includes integration with the Automated Indicator Sharing (AIS) platform, allowing indirect participation via ISACs for real-time cyber threat data without direct federal interaction.[48] Such mechanisms prioritize causal prevention of exploits by enabling rapid dissemination of technical indicators, as seen in post-incident analyses tied to advisories like those for SolarWinds-related tactics.[49]
Critical Infrastructure Protection Duties
The Cybersecurity and Infrastructure Security Agency (CISA) serves as the national coordinator for critical infrastructure security and resilience, as designated under Presidential Policy Directive 21 (PPD-21), issued on February 12, 2013, which identifies 16 critical infrastructure sectors and emphasizes shared responsibilities among federal, state, local, tribal, territorial governments, and private sector owners and operators.[50][51] These sectors include energy, financial services, and transportation systems, where disruptions can cascade across interdependent physical and cyber systems, such as a cyber intrusion triggering physical shutdowns in pipelines or power grids.[52] Under the Homeland Security Act of 2002, as amended, the Department of Homeland Security (DHS)—CISA's parent agency—holds primary responsibility for protecting these assets from physical and cyber threats, with CISA facilitating coordination with Sector Risk Management Agencies (SRMAs) for each sector to conduct risk assessments, develop resilience plans, and provide guidance on physical security measures like access controls and perimeter defenses.[53]CISA's duties extend to analyzing interdependencies between physical infrastructure and cyber elements, using empirical data from incident responses to inform risk management without mandating private sector compliance. For instance, following the May 7, 2021, ransomware attack on Colonial Pipeline—which compromised operational technology systems, forcing a manual shutdown of the 5,500-mile fuel pipeline and causing regional shortages—CISA led assessments revealing how cyber vulnerabilities directly disrupted physical supply chains, affecting 45% of East Coast fuel distribution and highlighting causal links between digital intrusions and tangible economic impacts estimated at $1 billion in losses.[54][55] These evaluations prioritize data-driven prioritization of threats, vulnerabilities, and consequences across sectors, coordinating with SRMAs to enhance resilience through voluntary frameworks rather than prescriptive regulations.[56]While CISA has advanced standardization in risk assessment methodologies—such as sector-specific plans under PPD-21 that have facilitated cross-sector information sharing—critics argue that associated regulatory efforts, including proposed cyber incident reporting rules, impose disproportionate administrative burdens on private owners who control 85% of critical infrastructure without commensurate reductions in empirically observed threat levels.[57][58] Industry stakeholders and congressional oversight have highlighted duplicative requirements overlapping with sector-specific agencies, potentially diverting resources from core physical hardening measures like redundant systems or supply chain diversification, as evidenced by delays in rulemaking to mitigate scope creep.[59][60] This tension underscores the causal reality that effective protection relies on incentivizing private investment in resilience over federal mandates, given limited evidence of proportional threat mitigation from expanded reporting.[61]
Evolving Mandates in Emerging Threats
In response to the proliferation of artificial intelligence (AI)-enabled threats, such as generative AI tools exploited by foreign adversaries for disinformation and cyber intrusions, CISA issued its 2023-2024 Roadmap for Artificial Intelligence on November 9, 2023, outlining agency-wide strategies to mitigate risks to critical infrastructure.[36] This roadmap emphasizes promoting "secure by design" principles for AI systems, requiring manufacturers to integrate security from the outset—such as robust data validation and adversarial robustness—rather than relying on post-deployment patches, thereby shifting primary responsibility to vendors for customer outcomes.[62] Empirical evidence of causal risks includes documented instances of AI-augmented attacks, like deepfake manipulations in influence operations attributed to state actors, which the roadmap ties to CISA's mandate by aligning with national AI strategies to prevent escalation in hybrid threats.[63] However, this expansion has prompted scrutiny over whether it sufficiently distinguishes genuine foreign technical threats from broader normative goals, such as content moderation, given CISA's integration of AI security into vendor accountability frameworks that could indirectly influence domestic software ecosystems.[64]Parallel to AI adaptations, CISA's mandates evolved to encompass election infrastructure following its designation as a critical infrastructure subsector by the Department of Homeland Security on January 6, 2017, which prioritized federal resources for cybersecurity scans, physical security assessments, and resilience planning for voting systems and voter databases.[65] This designation, rooted in observed foreign interference attempts like the 2016 Russian probing of state systems, enables CISA to provide targeted assistance—such as vulnerability mitigation tools and interagency coordination—without altering state authority over election administration.[66] The Election Infrastructure Subsector-Specific Plan further delineates protections against cyber and physical disruptions, focusing on empirical vulnerabilities like unpatched software in election management systems that could enable ballot manipulation or denial-of-service attacks.[67] Yet, definitions of "resilience" in these frameworks have drawn criticism for extending beyond verifiable technical safeguards to include subjective elements like public confidence narratives, potentially enabling overreach into non-cyber domains such as misinformation countermeasures, despite causal evidence linking mandates primarily to interstate threats rather than domestic policy enforcement.[68] These evolutions reflect CISA's response to interconnected emerging risks, where AI exacerbates election-specific vulnerabilities, but evaluations of mandate scope underscore the need for delineating threat-driven interventions from expansive interpretations that risk blurring federal and state boundaries.[69]
Organizational Structure
Leadership and Key Directors
Christopher Krebs served as the first director of the Cybersecurity and Infrastructure Security Agency (CISA), appointed on November 20, 2018, following his earlier role as under secretary for the National Protection and Programs Directorate since June 15, 2018.[70] His tenure ended abruptly on November 17, 2020, when President Donald Trump fired him via Twitter after CISA issued a statement affirming the security of the 2020 U.S. presidential election, contradicting unsubstantiated claims of widespread fraud.[71] Krebs' leadership emphasized public-private partnerships in cybersecurity, laying groundwork for CISA's operational expansion amid rising nation-state threats.[72]Jen Easterly succeeded Krebs as director, nominated by President Joe Biden and confirmed by the Senate on November 12, 2021, serving until her resignation effective January 20, 2025, coinciding with the inauguration of President Trump's second term.[73] Under Easterly, CISA pursued aggressive expansions, including the launch of the Joint Cyber Defense Collaborative (JCDC) in late 2021 to unify government, industry, and international cyber defenses against shared threats.[74] Her administration correlated with increased allegations of agency overreach, particularly in election-related activities and content moderation partnerships, though these faced partisan scrutiny from Republican lawmakers questioning CISA's impartiality.[75]Following Easterly's departure, Dr. Madhu Gottumukkala assumed the role of acting director.[76] On March 11, 2025, President Trump nominated Sean Plankey, a former Department of Energy cyber official from Trump's first term, to serve as permanent director; as of October 2025, the nomination remained unconfirmed by the Senate amid holds and partisan delays.[77][78] The Trump administration implemented significant reductions, including halting federal support for state election security programs and proposing a $491 million cut to CISA's fiscal year 2025 budget, framed as a reevaluation of priorities toward core infrastructure protection over perceived politicized functions.[79][80] These shifts prompted concerns from Democratic officials about diminished cyber defenses but aligned with empirical critiques of prior expansions' efficiency and scope.[81]
Divisions, Offices, and Operational Components
The Cybersecurity and Infrastructure Security Agency (CISA) organizes its operations through several core divisions focused on distinct functional areas, enabling coordinated responses to cyber and physical threats to critical infrastructure. The Cybersecurity Division leads efforts in defending federal networks, vulnerability management, and threat intelligence sharing, serving as the operational hub for detecting and mitigating cyber risks across civilian executive branch systems.[82] The Infrastructure Security Division addresses physical and chemical security for critical sectors, including risk assessments and resilience planning for assets like pipelines and dams, with an emphasis on sector-specific coordination to prevent cascading failures.[82] Complementing these, the Stakeholder Engagement Division facilitates partnerships with state, local, tribal, territorial governments, and private entities to disseminate alerts and build collective defenses, directly influencing the agency's reach in non-federal environments.[82]Additional operational components include the Emergency Communications Division, which ensures continuity of 911 services and public safety networks during disruptions, integrating cyber and physical safeguards for resilient communication pathways.[82] The Integrated Operations Division provides overarching coordination, fusing intelligence from multiple divisions to support real-time incident response and resource allocation, thereby linking siloed functions into a unified operational framework that enhances detection speed—though empirical audits indicate persistent gaps in execution.[82]CISA also relies on advisory bodies for external expertise, such as the Cybersecurity Advisory Committee (CSAC), established in 2021 as an independent panel of industry and academic leaders to deliver strategic recommendations on threat prioritization and policy refinement, meeting quarterly to address evolving risks like supply chain vulnerabilities.[83] This structure supports input from non-governmental stakeholders, but a 2023 Department of Homeland Security Office of Inspector General (OIG) audit highlighted staffing shortages— with CISA operating at approximately 80% of authorized cyber personnel levels—as a causal barrier to effective threat detection and mitigation, correlating directly with delays in vulnerability scanning and incident triage across divisions.[33] These resource constraints, persisting despite recruitment incentives, underscore how understaffing in operational components reduces the agency's capacity to scale responses proportionally to threat volumes, as evidenced by slower integration of automated tools for real-time analysis.[33]
Programs and Initiatives
Cybersecurity-Specific Programs
The Secure by Design initiative, announced by CISA on April 10, 2023, directs software and hardware manufacturers to prioritize security in default configurations and development processes, with the objective of shifting responsibility for vulnerability mitigation from end-users to vendors and thereby reducing exploitation risks in prevalent threats like ransomware that leverage unpatched or misconfigured systems.[84] Core principles emphasize vendor ownership of downstream security outcomes, radical transparency in vulnerability handling, and embedding defenses against known attack patterns during design rather than post-deployment patching.[85] By late 2024, over a dozen manufacturers had signed CISA's Secure by Design Pledge, committing to actions such as eliminating default credentials—present in 80% of analyzed network devices as initial access vectors—and establishing public vulnerability disclosure policies, though adoption remains voluntary and independent verification of broad threat reduction metrics is scarce.[62] Participant self-reports, including Fortinet's elimination of legacy unsafe protocols in firmware updates, indicate internal efficacy in curbing common exploits, but program momentum faced setbacks in 2025 following resignations of key CISA personnel overseeing implementation.[86][87]The Joint Cyber Defense Collaborative (JCDC), formed in August 2021 under CISA leadership, coordinates threat intelligence sharing among over 100 U.S. government agencies, private sector entities, and international partners to operationalize defenses against sophisticated actors targeting supply chains and remote services.[88] It has produced consolidated outputs like unified indicators of compromise (IOCs) and adversary tactics, techniques, and procedures (TTPs) derived from participant telemetry, enabling faster detection in scenarios involving ransomware groups that exploit shared vulnerabilities across sectors.[89] For instance, JCDC facilitated rapid dissemination of detection signatures during 2023-2024 threat hunts, correlating data from multiple firms to identify lateral movement patterns in managed service provider environments, as outlined in its inaugural Remote Monitoring and Management Cyber Defense Plan released August 17, 2023.[90] While specific quantitative metrics on adoption—such as reduced dwell times—are not publicly benchmarked, the framework's utility stems from standardized information exchange protocols that have supported over 20 documented success stories of expedited mitigations, though operational disruptions occurred in July 2025 due to contractor support lapses affecting personnel.[91][92]
Infrastructure Security and Resilience Efforts
The Infrastructure Security Division of CISA leads national efforts to manage risks and enhance resilience against physical, cyber, and hybrid hazards to critical infrastructure, coordinating with sectors such as energy, transportation, and water systems.[93] This includes updating the National Infrastructure Protection Plan (NIPP), which provides supplemental tools for executing risk management approaches and incorporating resilience into infrastructure projects, with biennial risk assessments mandated under National Security Memorandum-22 issued in April 2024.[94][95] Sector-specific playbooks and guidance address potential disruptions, such as those from coordinated physical and cyber attacks, emphasizing recovery planning and redundancy to minimize cascading failures.[52]CISA delivers resilience services, including the Infrastructure Resilience Planning Framework released to assist communities and regions in identifying vulnerabilities and developing mitigation strategies through structured planning processes.[96] For state, local, tribal, and territorial (SLTT) governments, the agency provides no-cost vulnerability assessments and professional services to evaluate physical security postures and operational continuity, with expansions supported by fiscal year 2024 grant allocations under programs like the State and Local Cybersecurity Grant Program, which integrate infrastructure resilience metrics.[97][98] These tools aim to build capacity against hybrid threats, drawing empirical lessons from real-world incidents like the 2015-2016 Russian cyberattacks on Ukraine's electric grid, which demonstrated how cyber intrusions can enable physical disruptions and informed U.S. guidance on securing operational technology in pipelines and substations.Despite these initiatives, evaluations highlight limitations in achieving measurable resilience, as empirical data on disruption recovery remains sparse and uneven across sectors.[99] Predominantly private ownership of critical infrastructure—over 85% in key sectors like energy and finance—has led to critiques of insufficient buy-in, with private operators often prioritizing short-term costs over long-term hardening recommended by CISA playbooks.[57] Recent workforce reductions and budget constraints in 2025 have exacerbated coordination challenges, potentially undermining the translation of federal guidance into private-sector implementation and exposing gaps in hybrid threat response.[100][101] GAO assessments note that while priority-setting has improved, consistent private adoption of resilience measures lags, as evidenced by persistent vulnerabilities in supply chain dependencies observed in post-incident analyses.[99]
Public-Private Partnerships and Collaborations
CISA coordinates with sector-specific Information Sharing and Analysis Centers (ISACs) across the 16 critical infrastructure sectors to enable targeted threat intelligence exchanges between government and private entities. These engagements facilitate the dissemination of sector-relevant cyber and physical threat data, drawing on private sector operational insights that public agencies lack.[102] Empirical outcomes include accelerated identification of supply chain risks, though measurable impacts on threat mitigation remain uneven due to varying ISAC maturity levels and participation rates among members.The Automated Indicator Sharing (AIS) program, operational since 2016, supports real-time, bidirectional exchange of machine-readable cyber threat indicators and defensive measures among participants, including private firms and ISACs.[103] A 2025 Department of Homeland Security Office of Inspector General audit documented a surge in shared indicators but criticized CISA for inadequate outreach, resulting in low overall participation—fewer than 300 active participants despite outreach to thousands—limiting the program's scale and potential for widespread threat detection.[104] This gap underscores causal challenges in incentivizing private sector involvement without mandatory mechanisms, as firms weigh sharing benefits against proprietary data risks.Launched in 2021 pursuant to the National Defense Authorization Act, the Joint Cyber Defense Collaborative (JCDC) integrates private industry capabilities with government resources for joint threat hunting, analysis, and response planning. JCDC has enabled rapid partner convenings, such as consolidating detection methods and indicators of compromise during active campaigns, which expedited mitigations for participants like CrowdStrike.[89] In fiscal year 2024, related efforts supported broader vulnerability coordination, though JCDC itself encountered operational setbacks, including a 2025 lapse in support contracts that reduced personnel and stalled initiatives.[92] By early 2024, industry feedback highlighted bureaucratic delays and inefficiencies, eroding enthusiasm despite initial successes in unifying defenses.[105]CISA's ties with technology firms emphasize vulnerability management through the Coordinated Vulnerability Disclosure (CVD) program, which handled 845 cases in fiscal year 2024 to prioritize and disclose critical flaws in products and systems.[106] Complementary efforts, including the 2024 Secure by Design pledge signed by over 60 major tech companies, promote embedding security practices in software development to reduce exploitable weaknesses proactively.[107] These collaborations have empirically improved disclosure timelines and advisory issuance—yielding 427 advisories in 2024—but expose risks of asymmetric influence, as private firms' dominance in threat data could steer agency priorities toward commercial interests over impartial risk assessment.[108] Such dynamics necessitate scrutiny to prevent co-optation, particularly where partnerships overlap with non-technical policy domains.
Responses to Major Incidents and Threats
Role in High-Profile Cyber Attacks
In the SolarWinds supply chain compromise, detected in late 2020 and attributed to Russia's SVR by U.S. intelligence in April 2021, CISA played a pivotal role in federal mitigation efforts. On December 13, 2020, CISA issued an alert on active exploitation of SolarWinds Orion Platform software versions 2019.4 HF5 through 2020.2.1 HF1, which had been compromised via malicious updates affecting up to 18,000 customers, including nine U.S. federal agencies.[46][109] That same day, CISA released Emergency Directive 21-01, mandating federal civilian executive branch agencies to immediately disconnect or power down affected Orion instances, conduct full reviews for indicators of compromise, and implement enhanced logging and network segmentation—actions that limited further lateral movement by the intruders in government networks.[110] Subsequent supplemental guidance from CISA, updated through 2022, facilitated remediation, with federal agencies reporting improved detection capabilities post-directive, though initial attribution delays stemmed from the attack's stealthy persistence since March 2020.[111][33]CISA's involvement extended to coordinating the SolarWinds Malware Hunting Task Force with partners like the FBI and NSA, which analyzed over 40,000 indicators of compromise and supported private sector victims, contributing to broader supply chain security enhancements.[31] Empirical outcomes included reduced dwell times in remediated federal systems, but the incident exposed persistent challenges in pre-breach visibility, as CISA later noted that basic multifactor authentication could have prevented much of the compromise.[112]During the May 2021 Colonial Pipeline ransomware attack by the DarkSide group, which encrypted billing systems and prompted a precautionary shutdown of the 5,500-mile fuel pipeline on May 7—disrupting 45% of East Coast fuel supply—CISA activated its incident response mechanisms alongside the FBI and TSA.[54][113] CISA provided technical assistance for threat hunting and recovery, issuing advisories on ransomware indicators, but the operator's decision to pay approximately $4.4 million in Bitcoin on May 8 enabled partial system restoration, with full pipeline restart occurring on May 12 after five days of downtime.[114][115] Recovery timelines highlighted coordination limits, as the attack exploited a legacy VPN without multifactor authentication, and CISA's post-incident analysis underscored gaps in critical infrastructure segmentation, leading to TSA-mandated cybersecurity assessments for pipelines within 30 days.[116] While CISA facilitated FBI recovery of $2.3 million in ransom funds, the event demonstrated that federal guidance alone could not override private operational choices amid attribution uncertainties, with fuel shortages persisting due to panic buying rather than prolonged technical outage.[117]
Incident Response Mechanisms and Case Studies
The National Cyber Incident Response Plan (NCIRP) outlines CISA's core protocols for coordinating responses to significant cyber incidents, structuring efforts into detection and response phases across four lines: asset response for protecting and restoring systems, threat response for disrupting actors, intelligence support for analysis and attribution, and affected entity response for victim assistance.[44] This framework emphasizes scalable coordination among federal, state, and private entities, with CISA leading through its Hunt Forward operations—proactive deployments of "hunt-and-hack" teams to scan partner networks for indicators of compromise, share detections, and recommend mitigations.[118] These mechanisms prioritize rapid threat hunting over reactive forensics, aiming to preempt escalation by integrating endpoint detection, log analysis, and vulnerability scanning.[119]In advisory AA25-266A, issued September 23, 2025, CISA detailed lessons from an incident response engagement at a Federal Civilian Executive Branch (FCEB) agency, where initial detection via security alerts enabled CISA teams to identify persistent malicious activity linked to unpatched known exploited vulnerabilities (KEVs).[120] Post-engagement analysis revealed causal failures in efficacy, including delayed patching of high-risk systems and insufficient intra-agency sharing of detection indicators, which prolonged actor dwell time; recommendations stressed immediate KEV remediation and automated alert dissemination to enhance collective defense.[121] This case underscored NCIRP's strength in federated response activation but highlighted procedural gaps, such as underutilized incident response playbooks, leading to inefficient containment and recovery timelines.[122]Department of Homeland Security Office of Inspector General (OIG) evaluations have critiqued underlying scalability issues in these mechanisms, attributing limitations to chronic staffing shortfalls and resource misallocation. A 2023 OIG audit found that inadequate planning and personnel shortages left CISA reliant on outdated systems, hindering hunt team deployments and incident surge capacity.[33] Subsequent 2025 reports documented $1.41 million in improper payments via a mismanaged retention incentive program, exacerbating talent attrition in cyber response roles and risking operational bottlenecks during multi-vector incidents.[123] These findings indicate that while NCIRP provides a robust procedural backbone, human capital constraints causally undermine its execution, as evidenced by reduced Hunt Forward throughput amid workforce reductions affecting up to 40% of specialized teams.[124]
Controversies and Criticisms
Allegations of Censorship and Content Moderation
A 2023 staff report by the House Judiciary Committee and Select Subcommittee on the Weaponization of the Federal Government detailed how CISA, originally focused on cybersecurity, expanded into monitoring and flagging online content labeled as misinformation, disinformation, and malinformation (MDM).[12] The report cited internal CISA documents showing the agency created a "MDM subcommittee" under its Cybersecurity Advisory Committee in 2021, involving tech firms and disinformation experts to advise on countering perceived narrative threats to critical infrastructure.[12] This shift positioned disinformation as a non-traditional security risk, with CISA employees reportedly partnering with platforms to identify and suppress content, including through a centralized "switchboard" system that funneled reports from government entities and NGOs to social media companies for moderation actions.[12][125]Evidence from the report included over 1,000 pages of CISA records obtained via subpoena, revealing the agency's consideration of a "rapid response" team for domestic MDM incidents and coordination with entities like the Election Integrity Partnership to track online narratives from 2020 onward.[12] Critics, including committee members, contended this operationalized viewpoint-based content flagging, effectively enabling indirect government censorship by proxy through private companies, as platforms often complied with flagged requests to avoid regulatory scrutiny.[12] Such practices raised concerns of mission creep, where cyber infrastructure protection causally extended to domestic speech oversight without clear statutory authority, potentially chilling protected expression under the guise of threat mitigation.[12]Federal courts have addressed these claims in litigation like Missouri v. Biden, where a 2023 Fifth Circuit ruling found probable cause that CISA and other agencies coerced platforms into moderating content, leading to injunctions barring such communications; the Supreme Court later vacated the injunction in 2024 on standing grounds but did not endorse the practices. CISA officials defended the initiatives as voluntary information-sharing to combat foreign adversary-driven disinformation campaigns targeting infrastructure resilience, emphasizing no direct mandates for removals and framing MDM efforts as extensions of election security protocols established post-2016. However, the House report highlighted discrepancies, noting CISA's deletion of records and resistance to oversight, which undermined transparency claims and fueled allegations of systemic evasion.[12]Proponents of the allegations argue that institutional biases in academia and tech—often aligned with government narratives—amplified CISA's role, as evidenced by partnerships with university-based "disinformation" researchers who supplied flagging criteria skewed toward certain viewpoints.[126] In response, CISA disbanded its explicit MDM functions in 2022 amid scrutiny, pivoting to advisory roles, though subsequent audits noted persistent ambiguities in distinguishing security from content influence. These developments underscore ongoing debates over whether such monitoring safeguards democratic processes or erodes core protections against state-sponsored narrative control.[12]
Election Security Operations and Interference Claims
The Cybersecurity and Infrastructure Security Agency (CISA) designated election infrastructure as critical in 2017 and has since provided technical assistance, vulnerability scanning, and training to state and local officials to safeguard voting systems against cyber threats.[66] In the lead-up to the 2020 U.S. presidential election, CISA coordinated with partners to monitor and mitigate risks, issuing alerts on potential foreign interference attempts, such as Iranian actors creating fake websites threatening election officials in December 2020.[127] On November 4, 2020, CISA Director Christopher Krebs stated that the election was "the most secure in American history," citing no evidence of compromised voting systems despite scanning over 1,000 election-related networks and identifying minor vulnerabilities without exploitation.[128] This assessment aligned with joint statements from election security experts affirming the integrity of the vote tabulation process.[129]CISA operated a "Rumor Control" webpage during the 2020 election cycle to debunk false claims about voting processes, such as misinformation on ballot drop boxes and mail-in voting, drawing from verified partnerships with state officials.[130] The agency extended this resource for subsequent elections, emphasizing factual corrections over narrative control, though critics argued it blurred lines between foreign threat mitigation and domestic content moderation.[131] Empirical data from CISA and FBI assessments indicate limited verified foreign cyber intrusions into election infrastructure; for instance, no malicious activity compromised vote integrity in 2020 or 2024, with threats primarily manifesting as influence operations rather than direct hacks.[132] In contrast, CISA's involvement in flagging potential disinformation—through mechanisms like the Election Integrity Partnership—generated thousands of reports on domestic content, often targeting political speech questioning election procedures, which some analyses link to subsequent platform suppressions.[126]Allegations of partisan interference peaked post-2020, with claims that CISA overstepped into suppressing conservative narratives under the guise of countering "disinformation," as evidenced by internal documents revealing coordination with tech firms to flag content ahead of the election.[126] Krebs' firing by President Trump on November 17, 2020, stemmed from disputes over the "secure" declaration, which Trump deemed inaccurate amid ongoing fraud allegations.[133] These concerns persisted into the Biden administration, prompting scrutiny from congressional Republicans over CISA's role in what they described as government-orchestrated censorship.[126] In 2025, following Trump's reelection, the administration implemented cuts to CISA's election security teams, including placing staff on leave and freezing state aid per internal memos, actions attributed to distrust of prior operations perceived as biased toward one political side.[134][135] Budget proposals slashed nearly $500 million from CISA, prioritizing refocus on core cyber threats over expansive disinformation efforts.[80]Audits, such as those from the DHS Office of Inspector General, affirmed CISA's technical enhancements to election infrastructure but highlighted ambiguities in its expanding mandate, including regional advisors added post-2020 to bolster state support.[69] While foreign alerts—e.g., Russian and Iranian influence campaigns—remained a focus, the disparity between scant confirmed hacks and voluminous domestic flagging fueled debates on whether CISA's interventions prioritized partisan narratives over verifiable threats.[136] Independent evaluations underscore effective safeguards against direct cyber manipulation but question the agency's impartiality in information operations.[137]
Broader Concerns of Mission Creep and Overreach
Critics have raised concerns that the Cybersecurity and Infrastructure Security Agency (CISA)'s expansion into areas such as misinformation governance and non-traditional threat monitoring constitutes mission creep, potentially diverting resources from its core statutory focus on cybersecurity and critical infrastructure protection as established under the 2018 Cybersecurity and Infrastructure Security Agency Act.[12] This broadening of scope, initiated shortly after CISA's formation in November 2018, has been linked to internal surprises even among partner organizations regarding the agency's rapid assumption of roles in content-related threat assessment.[12]In October 2025, Senator Ted Cruz launched a Senate Commerce Committee investigation into CISA's disinformation sub-agencies, accusing them of facilitating government-led censorship campaigns that exceed the agency's mandate and erode constitutional boundaries on federal authority.[138][139] Such probes highlight fears that these peripheral activities foster bureaucratic overreach, where causal linkages between expanded informational roles and enhanced infrastructure security remain empirically unproven, potentially straining operational focus amid persistent cyber threats.[140]A March 2023 report from the Department of Homeland Security's Office of Inspector General (OIG) documented CISA's resource, staffing, and technology deficiencies that directly impeded cyber threat detection and mitigation efforts, with after-action analyses of incidents like SolarWinds revealing gaps exacerbated by inadequate prioritization of core capabilities.[33] These findings suggest that non-cyber mandates contribute to opportunity costs, as limited personnel—totaling around 3,000 full-time equivalents by fiscal year 2022—face competing demands that delay responses to verifiable digital intrusions.[33]While advocates for CISA's wider remit posit benefits in holistic threat awareness across hybrid digital-physical domains, empirical evidence indicates trade-offs, including diminished private sector self-reliance in infrastructure defense and inefficient resource allocation that fails to demonstrably reduce vulnerability exploitation rates.[141] Critics argue this overextension undermines causal efficacy, as first-principles analysis prioritizes targeted defenses against known attack vectors over diffuse monitoring, with no longitudinal data showing net security gains from such dilutions.[142]
Achievements, Evaluations, and Impact
Documented Successes in Threat Mitigation
In fiscal year 2024, the Cybersecurity and Infrastructure Security Agency's Pre-Ransomware Notification Initiative issued 2,131 notifications to organizations exhibiting indicators of early-stage ransomware activity, contributing to disruptions before encryption or data exfiltration could occur.[143] These proactive alerts, building on 3,368 total notifications since the program's inception two years prior, targeted high-risk sectors and enabled recipients to isolate compromised systems, thereby averting potential operational downtime and financial losses estimated in the millions across cases like 154 healthcare entities.[143][144]The agency's Secure by Design campaign saw over 250 software manufacturers commit to the pledge by May 8, 2024, prioritizing security features such as multi-factor authentication by default and reduced default credentials to mitigate initial access vectors exploited by threat actors.[143][145] This adoption aimed to shift vulnerability burdens upstream, with participating vendors agreeing to roadmaps for memory-safe programming and transparent reporting on security outcomes.[143]Through the Joint Cyber Defense Collaborative, CISA facilitated the release of nearly 1,300 cyber defense products in fiscal year 2024, including 58 joint-sealed advisories that accelerated indicators-of-compromise sharing among public and private partners.[143] These efforts enabled faster post-incident synchronization of threat intelligence, such as consolidated detection methods and tactics, techniques, and procedures for actors targeting remote monitoring tools since March 2023.[89]CISA's Vulnerability Disclosure Platform supported the remediation of 861 vulnerabilities affecting federal systems in fiscal year 2024, with coordinated vulnerability disclosures totaling 845 cases and 427 advisories issued.[143] Additionally, protective domain name system services blocked 1.26 billion malicious connections to federal agencies, providing a measurable barrier against phishing and command-and-control communications.[143] These interventions demonstrated pre- and post-notification improvements in patch deployment for known exploited vulnerabilities, aligning with observed reductions in ransomware campaign persistence.[146]
Independent Audits and Performance Assessments
The DHS Office of Inspector General's audit report OIG-23-19, issued on March 3, 2023, evaluated CISA's capabilities for cyber threat detection and mitigation following the 2020 SolarWinds supply chain compromise. The report acknowledged progress, including CISA's completion of 13 out of 14 tasks mandated by Executive Order 14028 by May 2021 to enhance federal cybersecurity, as well as the January 2022 launch of a vulnerability disclosure platform adopted by 32 federal agencies. However, it identified persistent deficiencies, such as the Cybersecurity Division operating at 38% below full staffing capacity as of August 2022, with 1,201 of 3,620 authorized positions unfilled, and inadequate resource planning that left CISA without backup communications or secure facilities during the SolarWinds response.[147][33]Survey data in the OIG audit underscored operational limitations, with 61% of 736 responding CISA employees (a 30% response rate) reporting insufficient staffing to meet mission demands, despite $93 million expended in fiscal year 2022 on network visibility and analysis tools. Technology gaps further hampered effectiveness, including incomplete access to Continuous Diagnostics and Mitigation program data across federal agencies and underdeveloped analytics for the National Cyber Protection System. The audit issued four recommendations, including updating CISA's Continuity of Operations Plan by October 31, 2023, documenting staffing needs by December 29, 2023, and developing plans for advanced threat analytics by May 31, 2023, though one recommendation on secure facility assessments remained open pending further documentation.[147][33]Subsequent Government Accountability Office reviews have reinforced concerns over CISA's performance in specific areas. For instance, GAO-24-106576, published March 7, 2024, highlighted challenges in delivering operational technology cybersecurity products and services, including coordination issues with sector partners and inconsistent adoption metrics. Similarly, GAO-25-107470 from June 11, 2025, critiqued CISA's network monitoring program for lacking a robust process for continuous performance evaluation of endpoint detection and response solutions across agencies. These assessments indicate that while CISA has advanced certain capabilities, systemic resource and implementation hurdles continue to limit independent verification of operational rigor.[148]
Measurable Outcomes and Strategic Contributions
CISA's FY2024 enacted budget of $2.8 billion supported the development and deployment of no-cost cybersecurity tools, including vulnerability scanning services under the Cyber Hygiene program targeted at state, local, tribal, and territorial (SLTT) entities and critical infrastructure owners.[35] This investment yielded a 201% increase in Cyber Hygiene service enrollments across analyzed sectors from 2022 to 2024, correlating with moderate improvements in overall cybersecurity posture as measured by reduced exposure to known exploited vulnerabilities.[149] Participants in these services experienced an average 40% decrease in cybersecurity risks within the first 12 months of enrollment, primarily through automated notifications prompting patch deployment and configuration hardening.[150]In threat mitigation, CISA's efforts contributed to enhanced national detection capabilities, with automated indicator sharing surging from approximately 1 million in calendar year 2023 to over 10 million in 2024, enabling faster cross-sector alerts on active exploits.[104] Complementary risk and vulnerability assessments (RVAs) numbered 143 in FY2023, identifying common weaknesses like unpatched systems in critical infrastructure, which informed prioritized remediation playbooks that standardized incident handling and arguably curtailed breach propagation by providing actionable, sector-agnostic response templates.[151] These outputs align with CISA's Cybersecurity Performance Goals (CPGs), adopted by entities to benchmark maturity, though long-term net value remains debated given persistent high-severity incidents and potential for created dependencies on federal tools without proportional private-sector innovation.[152]Strategically, CISA's focus on outcome-oriented metrics, such as recovery efficacy post-incident, has fortified public-private resilience by integrating CPGs into risk management frameworks, reducing average disruption durations in supported exercises through predefined playbook steps for threat hunting and containment.[153] However, while enrollment and sharing metrics demonstrate scaled activity, causal attribution to breach severity reductions is indirect, as broader ecosystem factors like vendor patching delays persist, underscoring the agency's role in augmentation rather than substitution for entity-level accountability.[119]
Recent Developments and Future Directions
2023-2025 Strategic Plans and Roadmaps
In September 2022, CISA released its inaugural comprehensive Strategic Plan for fiscal years 2023-2025, outlining four primary goals to guide agency operations: strengthening cybersecurity for critical infrastructure sectors; improving the resilience of national infrastructure against physical and cyber threats; enhancing CISA's internal capabilities, partnerships, and operational excellence; and promoting a broader culture of security and resilience across government, industry, and the public.[154] This plan serves as a foundational roadmap, emphasizing proactive risk management and measurable progress in threat mitigation without expanding agency scope indefinitely, instead leveraging public-private collaboration to distribute defensive responsibilities.[154]Building on this framework, CISA issued the FY2024-2026 Cybersecurity Strategic Plan in January 2024, aligning with the National Cybersecurity Strategy's emphasis on collaboration, innovation, and accountability to make damaging cyber intrusions rare.[155] The plan structures efforts around three goals: addressing immediate threats through enhanced visibility, vulnerability coordination, and joint cyber defense operations; hardening critical infrastructure by understanding adversary tactics and filling protection gaps; and driving systemic security changes, including trustworthy technology development and workforce building.[155] It incorporates annual operating plans with milestones and metrics, such as reduced incident dwell times and impact, to ensure priorities adapt empirically to evolving threats like state-sponsored intrusions and ransomware, rather than fixed ideological mandates.[155]A core roadmap within these plans is the Secure by Design initiative, launched in April 2023 through joint guidance with industry partners, urging software manufacturers to embed security from the outset—via practices like memory-safe coding, transparent Software Bills of Materials, and default configurations that minimize vulnerabilities.[85] By May 2024, over 250 companies pledged participation, aiming to shift liability toward vendors and empirically reduce zero-day exploits by altering development incentives, as evidenced by prioritized metrics for vulnerability disclosure and product hardening.[156] This evolves into broader accountability measures, focusing causal interventions on high-impact areas like supply chain risks without endorsing unchecked regulatory growth.[85]The plans also preview defensive roadmaps for emerging threats, including AI and hybrid attacks combining cyber with physical elements; CISA commits to guidance on secure AI deployment, protection against adversarial AI abuse in infrastructure, and quantum-safe cryptography migrations for systemically important entities, prioritizing data-driven mitigation over expansive new mandates.[155] Collaboration vehicles like the Joint Cyber Defense Collaborative facilitate real-time threat sharing, enabling targeted responses to hybrid threats from actors such as nation-states, while metrics track outcomes like faster vulnerability patching to align with causal threat dynamics.[155]
Key Activities and Policy Shifts in 2024-2025
In 2024, CISA advanced critical infrastructure protection through enhanced risk analysis capabilities, including upgrades to its Suite of Tools for the Analysis of Risk, and by fostering partnerships with industry, state, and local entities to mitigate sector-specific threats.[143] The agency allocated $279.9 million in funding through the Fiscal Year 2024 State and Local Cybersecurity Grant Program, enabling recipients to implement defensive measures against cyber risks.[157] Public awareness initiatives featured the May launch of the "We Can Secure Our World" campaign, promoting basic online safety practices, alongside October's Cybersecurity Awareness Month under the theme "Building a Cyber Strong America," which emphasized infrastructure resilience.[143][158]Following the 2024 U.S. presidential election and transition to the Trump administration, CISA underwent significant policy adjustments, including a proposed 17% budget reduction announced on May 2, 2025, which contributed to staff layoffs and reassignments by October, depleting expertise in areas like threat hunting and support services.[159][160] These cuts reflected a broader recalibration away from prior emphases on expansive election security operations, which the administration critiqued as veering into censorship and overreach, toward prioritized responses to foreign adversaries and supply chain vulnerabilities.[161][162]Operational continuity persisted amid these changes, as evidenced by CISA's issuance of Alert AA25-266A on September 23, 2025, detailing lessons from a federal agency incident response engagement, including recommendations to prioritize patching Known Exploited Vulnerabilities in high-risk environments and improve logging for threat detection.[120] The advisory underscored ongoing threats from state-sponsored actors exploiting unpatched systems, maintaining CISA's role in empirical threat mitigation despite internal resource strains and a pivot from domestic election-focused activities to international and infrastructure-centric defenses.[121] This shift highlighted causal effects of partisan leadership changes, with reduced federal election support prompting states to independently address gaps in voter system security.[163]