The Homeland Security Department is establishing a Cyber Safety Review Board that will convene after major cyber events to review and act on them, according to a Federal Register notice scheduled for publication Thursday.
The Federal Register notice brings to fruition an idea long circulated among cybersecurity policymakers and thinkers, one set in motion by an executive order President Joe Biden signed in May 2021. The idea is to mimic the National Transportation Safety Board that reviews civil aviation accidents.
The board (CSRB) will have no more than 20 members, with one each required from DHS, its Cybersecurity and Infrastructure Protection Agency, the Department of Justice, the National Security Agency and the FBI. The DHS undersecretary for strategy, policy and plans — a post held by Rob Silvers — will serve as the inaugural two-year chair.
It will kick into effect when an incident prompts formation of a Cyber Unified Coordination Group, a National Security Council-established organization for unifying government response to cyber incidents such as those that hit critical infrastructure owners and operators. The 2020 SolarWinds breach, which caused the compromise of both federal agencies and major tech companies, led to a public announcement of a coordination group forming.
Alternately, the secretary of DHS or leader of CISA can initiate a meeting of the CSRB.
“Upon completion of its review of an applicable incident, the CSRB may develop advice, information, or recommendations for the Secretary for improving cybersecurity and incident response practices and policy,” the notice states.
The board won’t be subject to the federal law requiring open meetings of federal advisory committees, according to the notice, since members will sometimes review classified and otherwise sensitive data.
Still, the notice reads, “Whenever possible, the CSRB’s advice, information, or recommendations will be made publicly available, with any appropriate redactions, consistent with applicable law and the need to protect sensitive information from disclosure.”
Some advocates of creating the board were disappointed that the executive order contained no mandate for public reporting, which could help avert future incidents.
At times the CSRB might draw on nongovernmental representatives, such as cybersecurity or software suppliers.
“Members shall consist of subject matter experts from appropriate professions and diverse communities nationwide, be geographically balanced, and shall include representatives of a broad and inclusive range of industries,” according to the notice.
The post DHS assembles Cyber Safety Review Board to imitate fed agency that studies aviation accidents appeared first on CyberScoop.