An Official Federal Cybersecurity Agency – Will This Provide The Protection That Small Businesses Need?

By Antonia Dumas, an Associate at XPAN Law Group.

Regarding the newly signed Cybersecurity and Infrastructure Security Agency Act of 2018, I came across an article that proclaimed: “The US now has an official federal cybersecurity agency.” And yes, technically this is an accurate proclamation because this Act did create an official federal level cybersecurity agency. However, what does this really mean for those of us in the private sector? Does it affect the private sector at all or will this agency only focus on federal security issues, simply tying cybersecurity issues to those of federal infrastructures.

Expectations of the Agency

The overall expectation of the Cybersecurity and Infrastructure Security Agency (“CISA” or the “Agency”) is to reduce physical and cybersecurity threats to the country’s infrastructure. Security Magazine quoted the Agency’s first CISA director, Christopher Krebs, stating that the Act represents “real progress in the national effort to improve our collective efforts in cybersecurity,” and “elevating the cybersecurity mission within the Department of Homeland Security” will streamline operations. The DHS describes CISA as leading “the national effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow.” (See DHS’ announcement of the Act and its website). The new name “brings recognition to the work being done, improving its ability to engage with partners and stakeholders, and recruit top cybersecurity talent” and reflects the public-facing cybersecurity duties of the Agency. (See FCW’s Article).

An Overview of the Act

Under Section 2, the Act amends the Homeland Security Act of 2002 and adds additional provisions. It re-designates the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA). Sec. 2202(a). It divides the CISA is into three distinct divisions: the Cybersecurity Division, the Infrastructure Security Division, the Emergency Communications Division (currently the Office of Emergency Communications). Sec. 2202(f).

Also under Section 2, the Act establishes that CISA be headed by the Director of National Cybersecurity and Infrastructure Security (now Krebs) who reports directly to the DHS Secretary. Sec. 2202(b). The Act also designates a Deputy Director, and a Privacy Director to ensure compliance with federal laws. Sec. 2202(d), (h). The Director, and CISA as a whole, has a number of responsibilities which require coordination with federal government agencies (including Sector-Specific Agencies) and other government agencies and authorities (state, local, tribal, and territorial), as well as the private sector and other entities. Some of these responsibilities include: leading cybersecurity and critical infrastructure security programs and operations; coordinating with non-federal and federal entities; and carrying out responsibilities concerning chemical facility antiterrorism standards. Sec. 2202(c)(1)-(11); (e)(1)(A) – (Q). Section 2 also requires the Agency to report to Congress to ensure oversight. Sec. 2(d)(1)-(5); 2202(c)(6), (7) and (10).

Other sections make general changes within DHS. Under Section 3, the Act transfers the Office of Biometric Identity Management within DHS to its Directorate for Management. Under Section 4, DHS must report on its leadership role in cloud-based cybersecurity deployments for civilian federal departments and agencies (to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Government Reform and the Committee on Homeland Security of the House of Representatives).

Lastly, under Section 6, it states clearly that no additional funds are authorized to carry out the Act’s requirements (which may limit CISA’s functionality).

What Services and Resources Does the Agency Provide to Small Businesses?

Some of the various divisions and programs can be confusing, but essentially the same services and resources that were provided by the NPPD are now provided by CISA, and in particular by its Cybersecurity Division. The Cybersecurity Division’s protection and collaboration occurs through four primary functions: (1) The National Cybersecurity and Communications Integration Center (NCCIC), (2) Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR), (3) Federal Network Resilience, and (4) Network Security Deployment.

The functions of NCCIC and SECIR provide some useful services and resources to small businesses. NCCIC is a national flagship cyber defense, incident response, and operational integration center. NCCIC provides some services to small businesses such as webinars and technical exchanges for analysts, digital malware analysis reporting, and sharing of cybersecurity information including emerging threats, warnings and indicators of compromise. SECIR is a program which is “engaged and informed customer base driven to achieve a resilient and secure cyberspace ecosystem.” SECIR has programs and initiatives that help build public, private and international partnerships so that it can strengthen resilience across the U.S.’s critical infrastructure and the cybersecurity community. (Examples of SECIR’s programs include the Critical Infrastructure Cyber Community Voluntary Program (C3VP), Automated Indicator Sharing and Cyber Information Sharing and Collaboration Program).

What Actions Should Small Businesses Be Taking on Their Own?

Although the Act itself does not provide additional protections for small businesses, the revamping of the CISA may encourage small businesses to take advantage of the Cybersecurity Division’s programs and resources. Hopefully with the new name and the government’s intent to attract more cybersecurity specialists and ensure collaboration between department, the Agency will be able to provide more useful resources for small businesses. For now, small businesses can take advantage of CISA’s currently available resources such as those provided by the National Cybersecurity and Communications Integration Center (NCCIC) and Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR).

The existence of a federal cybersecurity agency brings some comfort that cybersecurity is a priority here in the U.S., but small and midsize businesses cannot blindly rely on this Agency or federal resources. To protect your business you must be proactive and diligent in implementing and continually updating your cybersecurity approach. Utilizing federal resources and incorporating federal best practices will only help you create a stronger cybersecurity approach for your business.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.