July 27, 2022

Last Updated on January 19, 2024

The US government established the Cyberspace Solarium Commission (CSC) in 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” On March 11, 2020, the commission presented its final report to the public. 25 of its recommendations became law with the passage of the National Defense Authorization Act (NDAA) of 2021, dubbed “the most comprehensive and forward-looking piece of national cybersecurity legislation in the nation’s history.” Many more CSC recommendations subsequently have made it into roughly 50 other pieces of legislation.

What was in that CSC report? And why are its recommendations important for federal agencies, their suppliers and critical infrastructure orgs in particular?

To talk about how the Cyberspace Solarium Commission came to be, what it accomplished and how those results could impact your future, Mark Montgomery, former CSC Executive Director and now Senior Fellow at Foundation for Defense of Democracies, joined a recent episode of The Virtual CISO Podcast. The show’s host is Pivot Point Security CISO and Managing Partner, John Verry.

6 pillars of recommendations

Recognizing that “you cannot eat an elephant in one bite,” Mark explains that the CSC report groups the 80 recommendations under 6 pillars: “We began to think about cyber across these 6 lines of effort. And when those melded together, we ended up with these 6 pillars under which the different legislative and executive branch recommendations were binned.”

This made it easier for the CSC to promote its recommendations, including getting different legislators and committees to “own them” and fight to move them forward.

The six CSC pillars are:

  1. Reform the US Government’s Structure and Organization for Cyberspace
  2. Strengthen Norms and Non-Military Tools
  3. Promote National Resilience
  4. Reshape the Cyber Ecosystem
  5. Operationalize the Cybersecurity Collaboration with the Private Sector
  6. Preserve and Employ the Military Instrument of National Power

Organizing the US government

According to Mark, one of the pillars where the most progress has been made since the CSC report came out is #1, on organizing cyber leadership within the US government.

“The first thing is the National Cyber Director, that strategic leader at the White House,” says Mark. “I think it has evolved. A job was created by the NDAA, and it’ll eventually be 80 people inside the White House, for coordinating the inter-agency on a really significant, challenging issue.”

Why does the Office of the National Cyber Director need 80 staffers to help coordinate cybersecurity programs across the government?

“You can’t have the National Security Council with 5 or 6 people do it,” explains Mark. “They can do fantastic work. But they can’t do the grunt work of organizing 102 federal agencies to be generally pointed in one direction.”

Aligning with CISA

Another area Mark highlights within the CSC recommendations is “getting the Cybersecurity Infrastructure and Security Agency (CISA) right.”

An increasingly prominent federal entity under the Biden administration, CISA is an operational component of the Department of Homeland Security that is “leading the national effort to understand, manage and reduce risk to our cyber and physical infrastructure.” Partnership and collaboration with industry is a key element of CISA’s mission. Its two key roles are:

  • To act as the operational lead for federal cybersecurity (aka “the dot-gov”)
  • To act as the national coordinator for critical infrastructure security and resilience

CISA’s purview spans “the entire threat picture” as the agency seeks to forge “a collective defense” that makes US critical infrastructure secure and resilient.

“We had a total of 10 recommendations for CISA; I think 7 are done so far,” Mark notes. “They have to do with establishing different organizations within it, authorized to do different types of work, particularly threat hunting within the dot-gov.”

Do we really need more regulation?
Why expend so much effort creating committees and reports and agencies when most of the US government cyber initiatives that have been on the table for years remain incomplete?

Mark points out: “There was a wild west of how we were organized and a massive disparity between how Treasury and the financial services work and Energy work… down to Water, where EPA has literally two people running this sector management in cybersecurity for 52,000 drinking water utilities and 10,000 to 12,000 wastewater. When you have two people watching 52,000, you’re doing website management and that’s a big deal. … So, that sector risk management agency stuff was important.”

What’s next?

To listen to the full show with Mark Montgomery, click here.

What is the Biden administration doing about cybersecurity? This podcast covers the sweeping “cyber executive order”: EP#58 – Scott Sarris – The Cybersecurity Executive Order: What You Need to Know


New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.