Notice of the Establishment of the Cyber Safety Review Board

AGENCY:

Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA).

ACTION:

Notice of new review board establishment.

SUMMARY:

The Secretary of Homeland Security (Secretary), in consultation with the Attorney General, is establishing the Cyber Safety Review Board (CSRB) as directed by the Executive Order titled, Improving the Nation's Cybersecurity, and pursuant to the Homeland Security Act of 2002. DHS is announcing the establishment of the CSRB, a new review board, for public awareness.

FOR FURTHER INFORMATION CONTACT:

Erin McJeon, 202-819-6196 or CyberSafetyReviewBoard@cisa.dhs.gov.

SUPPLEMENTARY INFORMATION:

The Secretary, in consultation with the Attorney General, chartered the CSRB as directed by Executive Order 14028 and pursuant to 6 U.S.C. 451. The CSRB, which was chartered on September 21, 2021, will operate in an advisory capacity only.

The CSRB will convene following significant cyber incidents that trigger the establishment of a Cyber Unified Coordination Group as provided by section V(B)(2) of Presidential Policy Directive (PPD) 41; at any time as directed by the President acting through the Assistant to the President for National Security Affairs (APNSA); or at any time the Secretary or CISA Director deems necessary. Upon completion of its review of an applicable incident, the CSRB may develop advice, information, or recommendations for the Secretary for improving cybersecurity and incident response practices and policy. The Secretary, in consultation with the Attorney General, shall provide to the President, through the APNSA, any advice, information, and recommendations of the CSRB for improving cybersecurity and incident response practices and policy.

Whenever possible, the CSRB's advice, information, or recommendations will be made publicly available, with any appropriate redactions, consistent with applicable law and the need to protect sensitive information from disclosure.

Some of the issues the CSRB will address may require members to have access to classified information as well as sensitive law enforcement, operational, business, and other confidential information.

In recognition of the sensitive material utilized in CSRB activities and discussions, the Secretary has exempted the CSRB from Public Law 92-463, The Federal Advisory Committee Act, 5 U.S.C. app.

Membership: The CSRB shall be composed of no more than 20 members who are appointed by the CISA Director, in coordination with the DHS Under Secretary for Strategy, Policy, and Plans. The DHS Under Secretary for Strategy, Policy, and Plans shall serve as the inaugural Chair of the CSRB for a term of two years. Members will include at least one representative from the Department of Defense, the Department of Justice, DHS, CISA, the National Security Agency, and the Federal Bureau of Investigation. CSRB members will also include individuals from private sector entities to include appropriate cybersecurity or software suppliers.

Non-governmental members who serve on the CSRB will serve as Special Government Employees as defined in 18 U.S.C. 202(a). Members may be required to sign a non-disclosure agreement. Members may also be required to obtain a security clearance. Members shall consist of subject matter experts from appropriate professions and diverse communities nationwide, be geographically balanced, and shall include representatives of a broad and inclusive range of industries.

A representative from the Office of Management and Budget shall participate in CSRB activities when an incident under review involves Federal Civilian Executive Branch (FCEB) Information Systems, as determined by the CISA Director, and other individuals may be invited to participate in CSRB activities on a case-by-case basis depending on the nature of the incident under review.

Duration: Unless otherwise directed by the President, the Secretary may extend the life of the CSRB every two years as the Secretary deems appropriate, pursuant to 6 U.S.C. 451.