What is an Administrative Subpoena?
- Subpoenas are legal orders that compel the recipient to take certain actions. Administrative subpoenas are issued by federal agencies, rather than by judges or grand juries. CISA is authorized by law to issue administrative subpoenas for the narrow purpose of identifying and notifying the owners and operators of internet-connected systems with specific security vulnerabilities.
What is a "covered devices or system"?
- Per 6 U.S.C. § 659(p), "'Covered device or system' means a device or system commonly used to perform industrial, commercial, scientific, or government functions or processes related to critical infrastructure, including operational and industrial control systems, distributed control systems, and programmable logic controllers. The term “covered device or system” does not include personal devices or systems, such as consumer mobile devices, home computers, residential wireless routers, or residential internet enabled consumer devices.
The administrative subpoena process includes the following steps.
Detect and Analyze
When CISA analysts detect a security vulnerability in an internet-connected system, they may initiate the administrative subpoena process if they have reason to believe:
- The vulnerability relates to critical infrastructure (CI),
- The vulnerability affects a "covered device or system", and
- The analysts are unable to identify the entity that owns or operates the system.
Before initiating the administrative subpoena process, CISA analysts must perform a critical infrastructure security risk assessment. The following links provide information on the criteria and processes for the two risk assessment methodologies analysts currently use.
- SSVC https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=636379
- NCISS CISA National Cyber Incident Scoring System | CISA
Prepare Administrative Subpoena
- CISA coordinates each administrative subpoena with the Department of Justice (DOJ) pursuant to statutorily-required written procedures.
- By statute, CISA’s administrative subpoenas are limited to compelling the production of only four categories of information: name; address; length of service (including start date) and types of service utilized; and telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address.
Approval and Cryptographic Digital Signature
After DOJ coordination, each administrative subpoena is signed with a cryptographic digital signature by an authorized CISA representative. For more information, please see the Subpoena Signature Verification page.
Service of an Administrative Subpoena
Once the administrative subpoena has been authenticated with a cryptographic digital signature, CISA serves the administrative subpoena on the appropriate entity (e.g., the at-risk entity's Internet Service Provider).
Administrative Subpoena Enforcement
CISA administrative subpoenas are enforceable by DOJ in federal district court.
Receive Response from Served Entity
CISA uses information obtained through administrative subpoenas for cybersecurity purposes only. This information is not shared except under the circumstances set out in Sharing of Information Obtained by Subpoenas.
CISA takes the following action after it receives a response from the served entity that identifies the at-risk entity:
- Notifies the at-risk entity of the administrative subpoena and the vulnerability.
- Note: CISA will take this action no later than seven days after receiving the information identifying the at-risk entity.
- The CISA Cybersecurity Division oversees the notification of the at-risk entity.
- This notification includes:
- A statement that responding to—or subsequent engagement with—CISA is voluntary, and
- Information regarding how CISA identifies security vulnerabilities.
Documentation of Mitigation
In its annual congressional reporting, CISA shall describe the outcome of the administrative subpoena and include a discussion on the resolution or mitigation of the CI security vulnerability.