The Cyber Safety Review Board Should be Reinvigorated

February 2026

The US government’s Cyber Safety Review Board (CSRB) was established in a 2021 Executive Order to investigate complex cybersecurity failures and translate their lessons into recommendations to improve the nation’s cyber safety. The CSRB does not have regulatory powers or enforcement authority and was created as an analogue of the National Transportation Safety Board (NTSB) for cyber incidents. It had as its primary purpose to determine the root causes of major cyber incidents and how to prevent their recurrence.  Over the ensuing four years, the Board published three open reports on key cybersecurity incidents.  In early 2025, the Administration dismissed all Board members, who were then invited to reapply for their positions. No members have been appointed since, and the Board is dormant.

The CSRB’s initial operations revealed some difficulties with its structure. These include:

  • Lack of adequate staff: The CSRB was composed of private sector experts and US government agency executives. The private sector members of the CSRB served as unpaid Special Government Employees. Support for the Board, including logistics and writing, was provided by a small cadre of contractors. Board members were the primary source of technical expertise.  To be successful, the Board needs full-time staff with adequate expertise in cybersecurity and producing technical reports. This is consistent with the operation of the NTSB.
  • Lack of subpoena power: The CSRB was unable to compel corporate participation in investigations, unlike the NTSB, which has subpoena power.

The Association for Computing Machinery (ACM) US Technology Policy Committee (USTPC) strongly urges that the CSRB be reactivated. This could be done administratively. However, we recommend that a legislative basis for the organization be created for long-term stability. Such legislation should address:

  1. The need for the CSRB to be permanent, independent, and non-regulatory. The CSRB should have the mandate to investigate incidents of national importance relating to cybersecurity and/or privacy.
  2. Mission. The CSRB should investigate and report on cyber incidents from a technical perspective, with the goal of identifying methods to prevent incident recurrence, just as the NTSB identifies failure causes and makes recommendations to prevent future accidents. Also, like the NTSB, the CSRB should not have a role in law enforcement or criminal investigations.
  3. Board constitution and qualifications. The size and composition of the CSRB should be adequate to address the size, scope, and number of incidents to be investigated. The CSRB should consist of five full-time government employees drawn from both inside and outside government, with deep technical backgrounds.  CSRB members should be appointed for terms of at least 5 years, with the option to extend for at least one additional term.  CSRB members should be responsible for staff oversight, and CSRB should be provided with a permanent staff, selected for their expertise in cybersecurity and technical investigations. The staff should have primary investigatory responsibility.
  4. Consultation on membership. Members of the CSRB should be appointed with advice from industry, academia, government (including National Labs), and civil society organizations. 
  5. Conflicts of interest. CSRB members should be required to disclose conflicts of interest with investigations, and recuse themselves from direct investigations where appropriate, but such COIs should not preclude participation in Board-level discussions on a given investigation.
  6. Subpoena authority and limitations. The CSRB should have the ability to subpoena to obtain information relating to its investigations.  Information provided to the CSRB in the course of its investigations should be protected from use in civil litigation and regulatory enforcement actions. CSRB findings and analysis should be inadmissible in court proceedings, consistent with the protections afforded to NTSB investigations. These protections are essential to fostering the candid cooperation that effective root-cause analysis requires.
  7. Report openness. CSRB reports should seek to be public to the maximum extent possible. However, the CSRB should have the ability to receive proprietary and/or classified information for members and staff who hold appropriate clearances.  If appropriate, CSRB reports may have proprietary and/or classified annexes to share information that may be inappropriate for public disclosure.
  8. Resources. The CSRB should be provided with adequate budget and other resources (staff, office space, classified space) to perform and release cybersecurity and privacy reports at an initial rate of 4 reports per year, with the rate to change in line with widely reported rates of cyber incidents.
  9. Report recommendations.  Any recommendations for use or adoption of technology solutions in CSRB reports should be vendor-agnostic.

The increasing use and sophistication of AI will not remove the need for CSRB evaluations.  Rather, it is already apparent that the increasing use of AI to develop and maintain software will likely lead to new classes of subtle and dangerous errors.  Security and/or privacy incidents arising from such errors must be identified and analyzed independently.  Additionally, AI will be used to develop new classes of attacks; this board must be prepared to analyze such incidents as part of its mission.

PDF Version Avaliable Here

Members help shape the Committee’s action agenda, author its official Statements and other materials shared with policy makers and the public, and spot emerging issues on which the Committee might engage. Join USTPC today!