CISA Faces Challenges Sharing Cyber Threat Information as Required by the Cybersecurity Act of 2015

Date Issued

Thursday, September 26, 2024

Submitting OIG

Department of Homeland Security OIG

Other Participating OIGs

Department of Homeland Security OIG

Agencies Reviewed/Investigated

Department of Homeland Security

Report Number

OIG-24-60

Report Description

The Cybersecurity and Infrastructure Security Agency (CISA) addressed the basic information-sharing requirements of the Cybersecurity Act of 2015. In calendar years 2021 and 2022, CISA updated its guidance, properly classified cyber threat indicators (CTI) and defensive measures, and accurately accounted for security clearances to address the basic information-sharing requirements of the Act. In March 2022, CISA completed upgrades to its Automated Indicator Sharing (AIS) 2.0 capability to address information-sharing limitations.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	No	$0	$0
We recommend that the Director of CISA develop and implement a strategy and performance metrics to actively recruit and retain Automated Indicator Sharing participants, including Federal data producers.