Cyber Innovation Fellows Initiative

Collaboration with the private sector is at the heart of CISA’s cybersecurity mission. Every day, CISA works with industry partners across the country to understand risks, exchange information, and mitigate threats. We launched the Cyber Innovation Fellows Initiative to take this partnership to a new level by bringing private sector experts into the agency on a short term, part-time basis to lend their expertise to some of our most critical teams.

The constantly shifting cyber risk landscape requires CISA to stay on the leading edge of key areas, from cloud security to threat intelligence. The Cyber Innovation Fellows Initiative allows some of the nation’s most skilled and experienced practitioners and experts to bring their perspectives to CISA on a short-term basis to advance our national mission to reduce cyber risk at scale. Participants are helping to innovate the agency’s approach to cybersecurity, while also gaining awareness of CISA’s mission that will enhance the participant’s own skills and knowledge.

CISA Cyber Innovation Fellows

As of September 2023, the Cybersecurity and Infrastructure Security Agency (CISA) onboarded all six individuals selected for the CISA Cyber Innovation Fellows Initiative.

Chris Hughes, Aquia

Chris brings nearly 20 years of IT and cybersecurity experience to his role as co-founder and chief information security officer at Aquia. As a United States Air Force veteran and former civil servant in the U.S. Navy and the General Services Administration’s FedRAMP program, Chris is passionate about making a lasting impact on his country and our global cyber community at large.

He holds a B.S. in Information Systems, a M.S. in Cybersecurity, and an MBA. He regularly consults with IT and cybersecurity leaders from various industries to assist their organizations with their digital transformation journeys, while keeping security a core component of that transformation.

Role at CISA

Chris is joining our Cybersecurity Division. He will coordinate and enable CISA’s global cross-sector community efforts around Software Bill of Materials (SBOM) adoption and use, particularly as it pertains to cloud and SaaS-based software. He will also advise on and contribute to Software Supply Chain Security guidance and publications. Additional responsibilities include facilitating public/private sector working groups to address software supply chain security concerns, tooling and challenges. Finally, he will advise policy makers and technologists on recommendations to bolster software supply chain security.

Michelle Hook, CLS International Bank

Michelle Hook is an accomplished cybersecurity leader with a track record of building and supporting global cyber threat intelligence and threat management programs. With 9 years of experience in the private sector, she brings a wealth of expertise to CISA and is eager to collaborate with the team.

Role at CISA

During her time at CISA, Michelle is joining our Capacity Building Subdivision as a senior threat advisor. Here, she will advise us on the development of CISA’s cyber threat intelligence strategy, vision, roadmap, and implementation plan, while providing us with formal and information recommendations for the agency to consider. She will also help facilitate community partnerships and inform and support outreach and engagement efforts to better understand the cyber threat intelligence needs of the community. Additionally, she will work to build key alliances to address longstanding issues, challenges, and barriers and help validate CISA’s current approach. Finally, she will advise the agency on the development of its cyber threat intelligence strategies, operational models, frameworks, and technical plans to move the cybersecurity community collectively towards cyber threat intelligence automation and enhanced cyber domain awareness

Francisco (Frank) Ureña, Oxford Computer Group US

Francisco (Frank) Ureña has more than 25 years of IT and cybersecurity experience in the private sector. Approximately 15 of those years have been in managing internal networks and infrastructure and maintaining secure access to systems and data. For the past 7 years, Frank has been a consultant and solutions architect focused on Identity and Access management systems and cloud security with a particular focus on Zero Trust computing.

Role at CISA

Frank is joining us as a Zero Trust and Cloud Security Advisor in CISA’s Cybersecurity Division, Office of the Technical Director. His additional responsibilities, while at CISA, include providing strategic architecture and consulting with respect to Zero Trust principles. He will also guide the agency on governance and private sector stakeholders on Zero Trust architecture. Finally, he will provide input to develop Zero Trust and Cloud Security-relevant services for Federal Civilian Executive Branch (FCEB) agencies.

Dr. Stephen Magill, Sonatype

Dr. Stephen Magill was the CEO and co-founder of MuseDev, and is now VP of Product Innovation at Sonatype. He has spent his career developing tools to help developers identify errors, gauge code quality, and detect security issues. Stephen has published extensively on the topics of program analysis, privacy, and machine learning and has led multiple large-scale research initiatives including DARPA projects on privacy, security, and code quality. He has also served as a research lead for the Sonatype State of the Software Supply Chain report since 2019. Dr. Magill earned his Ph.D. in Computer Science from Carnegie Mellon University, and his BS from the University of Tulsa.

Role at CISA

Dr. Stephen Magill is joining us as a Software Bill of Materials (SBOM) Advisor in our Vulnerability Management team. Here, Dr. Magill will act as a Software Bill of Materials (SBOM) Advisor providing insight on how CISA can best lead the global effort to push advance, refine, and promote SBOM. He will also provide private sector expertise and insight to support Annual Operating Plan goals, such as assisting CISA to better understand what incentives best stimulate private sector entities in becoming a CVE Numbering Authority or SBOMs participant or sharing pre-disclosure information. Finally, he will perform a series of assignments or a special project providing high-level advice and assistance to CISA leadership and Executive leadership of a CISA Division.

Jesse Heatley, USAA^®

Jesse Heatley is a cybersecurity specialist, foreign affairs expert, and public policy professional with 17 years of consulting, business, and government experience. He is currently a senior cyber threat intelligence and engagement specialist with United Services Automobile Association (USAA^®), a leading provider of insurance, banking, investment, and retirement solutions to the U.S. military community. He is passionate about cybersecurity cooperation and public-private engagement, since he believes these are essential to protecting our critical infrastructure and creating a more secure and resilient world.

He holds an A.M. in East Asian Studies from Harvard University and M.P.P. in business and government relations from Harvard Kennedy School. He is currently pursuing an M.S. in Cybersecurity at New York University and has completed advanced coursework at National Taiwan University, Johns Hopkins University, and the Massachusetts Institute of Technology. He has received several fellowships, including a Fulbright fellowship, for work and research overseas. 

Role at CISA

Jesse Heatley is joining CISA’s Joint Cyber Defense Collaborative as a Risk Analyst. Here, Jesse will develop data models and other analytical tools to support risk management, cybersecurity operations, policy, and intelligence coordination initiatives. He will also support CISA leadership with decision making on critical initiatives, using risk analysis to develop plans and reports. Additional responsibilities include supporting planning and execution of cyber defense operations and intelligence coordination. Jesse will also develop presentations and talking points and conduct senior leadership briefings on risk analysis findings and coordination updates. Finally, he will work with cyber officials and analysts in the government, intelligence community, and public-private partnerships, as appropriate, on risk assessments.

Brett Leighton, John Deere

Brett Leighton is a cybersecurity and risk leader with more than 18 years of information security and information technology experience, building enterprise solutions and teams for both government and Fortune 100 companies. In his current position as Director of Digital Risk Management at John Deere, Brett is pioneering the company’s digital risk program, an industry leading technology risk governance practice that integrates cybersecurity, data risk, product security risk, IT operational risk, and operational technology risk into a unified platform, enabling risk decision makers at all levels of the company to understand and respond to risk related to their digital assets and services.

Brett also currently serves as the Branch Chief of Cyber Operations for the Iowa National Guard and is the principal military cybersecurity advisor to the Iowa Governor, The Adjutant General, and Joint Staff, directing the use of cyber operations in concert with state, local, tribal, and national partners.

Role at CISA

Brett Leighton is joining CISA’s Joint Cyber Defense Collaborative (JCDC) as a Cyber Operations Planner. Here, he will develop and maintain cybersecurity plans, strategies, policies, and doctrine to support and align with organizational cybersecurity initiatives. Finally, Brett will support the JCDC’s cyber operations planning efforts involving a wide range of partners—including internal partners; federal partners such as the Intelligence Community, law enforcement, the Department of Defense, and federal civilian executive branch partners; private sector partners; international; and state and local partners—to address full spectrum cyber threats and vulnerabilities.

Frequently Asked Questions (FAQ)

Q. What is the Cyber Innovation Fellows Initiative?

A. The CISA Cyber Innovation Fellows Initiative offers technical experts from across the private sector the chance to embed on CISA’s cybersecurity teams and contribute to CISA’s critical national mission while also enhancing their own professional development and experience.

Q. Why is CISA undertaking this initiative?

A. The rapidly evolving cyber risk landscape requires that CISA find new, innovative ways to engage new perspectives outside of the federal government. The Cyber Innovation Fellows Initiative marks an important milestone in CISA’s engagement with a broader community of experts whose training and expertise, creativity around solutions, and desire to make a difference in improving global cybersecurity will make for dynamic, additive, and valuable contributions within the CISA mission space.

Q. What types of activities are participants conducting?

A. Through consultation, Fellows help design, the implementation of CISA’s cybersecurity programs and services, as well as strategies to scale new approaches to Artificial Intelligence and Machine Learning, post-compromise containment, initiative evaluation and analysis, cloud security, in addition to CISA’s legacy initiatives supporting federal cybersecurity.

Q. Where do the Fellows work?

A.  Participants are given the option to work remotely, according to preference. They also have onsite access if/when needed.  

Q. Why should a company support an employee participating in the CISA Cyber Innovation Fellows?

A: Employees are always looking for professional development and career advancement opportunities, many of which are unavailable within their company. CISA’s Cyber Innovation Fellows Initiative allows companies to take advantage of an opportunity to do both.

Additionally, participants will bring new insight back to their company as they learn how the federal government responds to a cyber incident on a national scale and come to understand CISA’s role as the lead federal agency responsible for protecting civilian and federal government networks.

Q. Does participating give a company any special status?

A. Allowing an employee to participate in the CISA Cyber Innovation Fellows offers development benefits for the Fellow, which in turn benefits their home company, but participation in the initiative does not confer on a private sector organization any direct benefit or special status with CISA.

Q. How many Fellows does CISA plan to take this year?

A. CISA offered 7 Fellows the opportunity to be part of the first cohort for 2023.

Q. How long is the stay for each Fellow?

A. These positions are on a part-time basis of two days per week for a period up to four months. Experts may have the option to extend their time with CISA but are limited to serving only 130 days within a 365-day period. Appointments under this initiative cannot be made in anticipation of seeking permanent employment with CISA..

Q. Are security clearances required?

A. All federal jobs are subject to basic public trust/suitability checks. Additional requirements depend on the position.

Q: Are the Fellows compensated by CISA?

A. Fellows are compensated solely by their private sector company and must sign a written acknowledgement that the initiative will be uncompensated.

Q: How many applied to the inaugural offering?

A. Twenty-six individuals applied to the Initiative during the initial offering.  

Q: Why should candidates participate in this initiative? What are they getting out of it?

A: The initiative is intended to advance the essential partnership between CISA and the private sector by ensuring that the agency benefits from deep expertise across critical disciplines.  

Fellows will gain professional development and bring new insight back to their home organization as they learn how the federal government manages cyber risks on a global scale and CISA’s role as the nation’s cyber defense agency.

Q: What’s it like to work at CISA?

A. As the nation’s cyber defense agency, we were designed to be something different, not another government bureaucracy, but something much more akin to a public/private collaborative. Additionally, CISA has a culture that embraces diversity and puts people first. CISA’s Core Values represent the fundamental tenets of the organization that guide all of our actions: Collaboration, Innovation, Service, Accountability.

Q: Are there any other onboarding requirements?

A. All Fellows are required to submit a Confidential Financial Disclosure Report (OGE-450), as well as attend an Ethics briefing before onboarding. A signed non-disclosure agreement is required. Drug testing is required for all CISA employees.

Q: When does CISA plan on reopening the application period for the next cohort?

A: The agency is still assessing the possibility of renewing this program next year. Once this first cohort is completely onboarded, CISA will evaluate the progress of the Initiative and incorporate any feedback from the Fellows into the decision-making process.