CISA Maps Out Next Moves in New Cybersecurity Strategic Plan

August 10, 2023 - As cyberattacks continue to impact critical infrastructure organizations across the country, the Cybersecurity and Infrastructure Security Agency (CISA) is tackling cyber risk head-on. The agency’s newly released FY2024-2026 Cybersecurity Strategic Plan outlines CISA’s plans for addressing cyber risk in a collaborative manner.

The plan is aligned with the National Cybersecurity Strategy, which was released in March 2023 and consists of key focus areas around defending critical infrastructure and dismantling threat actors.

Similarly, the Cybersecurity Strategic Plan centers around three specific goals. The first is to address immediate threats by making it difficult for adversaries to achieve their goals. To accomplish this feat, CISA intends to work with partners to gain visibility into cyber intrusions, coordinate the disclosure and mitigation of exploitable vulnerabilities, and exercise effective incident response efforts.

“We must increase the costs borne by transgressors and increase friction for malicious activities by leading a national effort defined by speed and scale: when an adversary compromises an American network, they are rapidly detected and evicted before damage occurs; when an exploitable condition manifests, it is similarly detected and remediated before an intrusion takes place,” CISA stated.

The agency emphasized the crucial role of collaboration and innovation in achieving this goal.

Second, the agency has identified the goal of “hardening the terrain” to further defend US infrastructure from cyber threats. Achieving this goal involves understanding how attacks occur by analyzing cyber incidents and gaining actionable insights about what security measures can help reduce risk.

“Starting with the federal civilian executive branch, we must shift the balance of risk management and security investment decisions across the country,” CISA noted.

“We will achieve this change by providing clear, actionable guidance, by using all available levers to influence risk decisions of organizational leaders, by providing best-in-class services that help ‘target rich, resource poor’ entities address gaps in their security programs, and by continuously measuring the state of American cybersecurity to understand areas for needed focus and investment, all informed by our understanding of the adversaries.”

Under this pillar, CISA plans to expand its Continuous Diagnostics and Mitigation program, which provides threat-hunting visibility across federal civilian executive branch agencies. Additionally, the agency intends to increase the vulnerabilities identified via its vulnerability disclosure platform.

The third goal under the latest iteration of the Cybersecurity Strategic Plan is to drive security at scale. Security experts have long advocated for “security by design” during product development. This goal underscores CISA’s thoughts on the matter, as the agency plans to release updated criteria and best practices for developing products that are secure by default.

“We will partner with like-minded organizations across government and industry to drive progress toward a world in which a technology product must be safe before it can be sold,” CISA pledged.

“We will focus first on defining what it means for a technology product to be safe and secure, collaboratively developing guidance and technical criteria to help customers choose safe products and manufacturers to deliver accordingly.”

Over the next three years, CISA plans to work toward these ambitious goals to enable a more secure future.

“We must be clear-eyed about the future we seek, one in which damaging cyber intrusions are a shocking anomaly, in which organizations are secure and resilient, in which technology products are safe and secure by design and default,” CISA stated.

“This is a shared journey and a shared challenge, and CISA, as America’s cyber defense agency, is privileged to serve a foundational role in the global cybersecurity community as we achieve measurable progress to our shared end state.”