By: Jen Easterly, Director, CISA
As we enter our fifth year as one of the youngest Agencies in the federal government, I’m incredibly proud of our team and what we’ve accomplished together. We’ve overcome obstacles to meet the demands of our mission, and we’ve grown significantly each year in capability and capacity, collaborating with our myriad of partners to reduce risk to the cyber and physical infrastructure American’s rely on every hour of every day. We’re not a law enforcement agency, nor an intelligence agency, nor a military organization, nor a regulator in the traditional sense. We’re largely a voluntary agency which relies on building trust with our partners across the globe—from every industry, to federal, state, local, tribal, territorial, and international governments, to non-profits, academia, and the research community—and adding value to help them improve their security and resilience. And we recognize that trust can only be built with transparency, humility, and open communication. People simply don’t trust institutions; they trust people.
A brief look back at the past four years is instructive context for our journey:
- We underwent a massive agency-wide reorganization that drastically changed our structure to include building a more regional approach to better serve our stakeholders across the nation.
- Following the designation of election infrastructure as critical infrastructure, we were front and center for many Americans for the first time during a high-profile presidential election in 2020, and again during this year’s midterm elections.
- We helped lead the Nation through several major cyber-attacks and vulnerabilities, including the most significant breach of federal civilian government networks and the most significant software vulnerability discovered in decades.
- We supported efforts to ensure preparedness for weather disasters and terrorist attacks, to include reducing the dangers of bombing attacks and the misuse of dangerous chemicals.
- And like the rest of the world, during half of our four-year existence, we were in a pandemic. That meant that while we worked with our critical infrastructure partners to issue guidance on how to move safely to a virtual environment and helped state and local officials make decisions about essential workers, we ourselves needed to develop our own virtual capabilities. We’re proud of how we’ve built our own hybrid workforce, and how our employees have adapted and continued to serve our nation.
It’s been a wild ride, but an incredible one, and every year we’ve matured, we’ve received new authorities and new responsibilities, while bringing in top-tier talent to confront a dynamic and increasingly complex threat landscape. This past year, 2022, has been an especially productive one for Team CISA, as highlighted in our Year in Review. In addition to what is reflected in those pages, I did want to separately give some insight into where we are as an organization and where we are going.
PEOPLE: People are our most important asset at CISA, and year after year, we’ve made progress in building our workforce to meet the demands of our mission. As Congress has continued to fund CISA to grow, we’ve continued hiring toward a goal of over 3,400 Full time Positions, some 400 of which we gained in just the past year’s budget. We now have nearly 2,800 employees onboard, hiring almost 200 new teammates in just the last 3 months. In fact, we’ve hired more than DOUBLE the people in the last two years than we’ve hired in the previous two, with 516 new hires in just FY22. In FY20, that number was only 267.
Hires over the past two years include top talent from the private sector, academia, and other agencies with many more top candidates in the pipeline. While government will never be able to fully match compensation in the private sector (and let’s face it—no one joins the government to make money!), we’ve been able to recruit and retain our talent in several ways. We provide flexible work arrangements, with over 80% of our workforce having transitioned to a blended telework experience or full-time remote work, flexibility which enables us to leverage talent across our nation. We also have unique hiring authorities, like the Cyber Talent Management System (CTMS), that allows us to move more quickly than under traditional federal hiring authorities, get closer to private sector compensation, and hire applicants based on skills, aptitude, and attitude—not simply based on degrees. So far, we’ve hired several dozen teammates using CTMS, and we look forward to ramping that up considerably in 2023.
All that said, like any organization, we have our challenges. Hiring still takes much longer than it should—a problem across the Federal government—as does securing clearances for those employees who do require them. To address these issues, our human capital and security teams have taken many behind the scenes steps to improve our processes, with additional changes coming this year. Separately, however, as we were built off the back of a staff element within DHS Headquarters, our workforce does not currently look like it should. We took time over the past year to examine and restructure teams that had too many layers of supervisors and too limited a span of control, and to begin reshaping our teams to ensure better balance across age and rank—we’re currently over 60% GS 14s and 15s—with a focus on recruiting more diverse talent and more entry-level talent, while creating strong career development opportunities for both supervisors and technical leaders. Needless to say, this is a long-term effort but one that is critical for our success.
Our rate of attrition has hovered around 8-9% each year since we were established. As we’ve evolved, we’ve had teammates who’ve retired, some who’ve left for great private sector opportunities, some who’ve been exited for poor performance or behavior, and some who just don’t like the direction the Agency is headed. In my view, that’s normal, healthy, expected, and welcome. A major influence in my life is the suicide of my little brother a little over 21 years ago. It led me to be a major advocate of mental health, as well as a devotee of the concept of “Ikigai,” a Japanese philosophy which holds that our lives should be guided by the ideal intersection of four precepts—do what you love; do what you’re good at; do what the world needs; and do what you can be rewarded for. As I often say: Life is short; if you’re not happy, you should do something else, or to paraphrase the flamboyant Mae West, “You only live once, but if you do it right, once is enough.”
CULTURE: Just as important as building a talented workforce is ensuring that we have the right People-First organizational culture to retain that workforce. This is no small endeavor. Building culture is hard work, and it takes time—it’s a journey, not a destination. And one that requires continuous engagement—why I’ve held more than 25 separate sensing sessions with teams across the Agency over the past year and nearly 100 1-1 office hours sessions with employees to get their feedback and listen to their ideas about building our Agency. Over the past year, we’ve co-created with our workforce the Agency’s first culture framework—establishing our Core Values and Core Principles, those behaviors we expect from each other and aspire to be as an organization. The overarching themes include trust, collaboration, empathy, inclusion, empowerment, ownership, and resilience…and a fundamental recognition that no asset is more important to our organization than our People.
- It’s a culture that recognizes that continuing to attract and retain world-class talent requires creating an environment of psychological safety, where people can be their authentic self, where they feel cared for, supported, empowered, and always treated with dignity and respect. It’s why we ran a 75-day sprint of workshops to promote psychological safety across the workforce this past year and will be digging in on this topic even more in 2023.
- It’s a culture that recognizes that pandemic fatigue, languishing and burnout, are all very real—why we made 2022 the Year of Mental Health and Wellbeing, making the Headspace Mindfulness App available to every employee for free; hosting a series of seminars by world-class experts on preventing burnout and safeguarding mental wellness; and revamping the assistance we provide to our teammates into a more employee-friendly CISA CARES program.
- It’s a culture that recognizes the value of constructive feedback—why we’ve implemented 360 reviews for our employees to encourage servant leadership and teamwork; and the importance of gratitude—why we created “CISA Thanks” as a web-based tool to easily recognize our teammates for who they are and what they do.
- And it’s a culture that prizes transparency and communication—why we hold Agency Town Halls every week, publish a weekly CISA Vision Newsletter, and regularly send out workforce communication messages from all levels of leadership.
We were particularly thrilled to welcome to CISA this past year our first-ever Chief People Officer who will play a critical role in building our People-First culture; leading our 2023 focus on a Year of Leadership and Learning; and continuing the three-year upward trend in employee engagement, as reflected in our Federal Employee Viewpoint Survey scores. On that note, while it’s great to see our FEVS scores increase, it’s more important to me that we use that data to make material changes that will accelerate our journey to being the best place to work in the federal government. More on that in the near future as we roll out plans for our Imagination Factory to take advantage of employee innovation…and eventually, our CISA Shark Tank.
BUDGET: We’ve benefited greatly from generous bipartisan support from Congress with annual funding that has grown every year since we were established, to include the recently signed FY23 omnibus package, which provides CISA $313 million more than the funding package enacted in FY22 and makes us a $2.9 billion Agency. Thanks to the incredible work of leaders across the Agency, we executed 99.87% of our FY22 funds, exceeding our closeout for FY21, which was 99.74%. I am both grateful for the generous support and mindful of our obligation to the Congress and the American people to ensure we are being good stewards of taxpayer dollars.
STRATEGY: Finally, I was particularly proud that we published our first-ever CISA Strategic Plan this past year, which lays out our goals and objectives for the next three years, organized around the four pillars of Cyber Defense, Risk Reduction and Resilience, Operational Collaboration, and Agency Unification. The plan clearly sets the path for where we will prioritize our efforts over the coming years, and, importantly, how we will measure our performance, with a focus on outcomes, not just activity. This last piece is a challenge as anyone in the business of security knows, as you’re essentially making investments so bad things don’t happen. That said we specifically added the word “reduce” into our mission statement, with regard to risk, to hold ourselves to a higher standard of accountability for truly improving the security and resilience of our infrastructure.
Our Strategic Plan focuses not only on “how” CISA works to reduce risk and build resilience, but also on how the agency is unifying as “One CISA” through integrated functions, capabilities, and workforce. Ultimately, the work reflected in our Year in Review is grounded in CISA’s core values of Collaboration, Innovation, Service, and Accountability, and reflects the efforts of the thousands of incredible teammates at CISA working selflessly day in and day out with our amazing partners to protect and defend our nation.
In sum, 2022 was a terrific year for Team CISA…and I’m relentlessly positive about 2023. Let’s do this!