Overview: CISA Cybersecurity Strategy for 2024-2026

The Cybersecurity and Infrastructure Security Agency (CISA) has outlined its strategic plan for cybersecurity for the fiscal years 2024 to 2026. As with many government documents, there is a lot in it. I encourage anyone in the industry to read it but I know we are all very busy so here’s an executive summary:

  1. Strategic Intent and Vision: The 2023 U.S. National Cybersecurity Strategy emphasizes collaboration, innovation, and accountability. The vision is to create an environment where damaging cyber intrusions are rare, organizations are resilient, and technology products are inherently secure. CISA aims to play a foundational role in this vision.
  2. The Current Landscape: The U.S. heavily relies on connected technologies for essential services. The increasing dependence on technology has made it a target for malicious cyber actors. The current environment is insecure, making it challenging to defend against threats.
  3. Strategic Goals:
  • Goal 1: Address Immediate Threats – This involves increasing visibility into cybersecurity threats, coordinating the disclosure of vulnerabilities, and planning for joint cyber defense operations.
  • Goal 2: Harden the Terrain – The focus here is on understanding attacks, driving the implementation of effective cybersecurity measures, and providing cybersecurity capabilities that fill existing gaps.
  • Goal 3: Drive Security at Scale – This goal aims to promote the development of trustworthy technology products, understand risks posed by emerging technologies, and contribute to building a national cyber workforce.
  1. Collaboration and Core Values: CISA emphasizes that cybersecurity is a mission that involves the whole of CISA, the whole of the government, and the whole of the nation. Collaboration is essential for success. CISA’s core values include collaboration, innovation, service, and accountability.
  2. Prioritization and Impact: CISA acknowledges that its resources are finite. Therefore, it will prioritize its actions to have the most significant impact on the American people. The agency will focus on federal agencies, resource-poor entities, organizations critical to national functions, and key technology providers.
  3. Addressing Immediate Threats: The current environment makes it easy for malicious actors to target American organizations. CISA aims to make American networks challenging targets for adversaries by increasing visibility into threats, coordinating vulnerability disclosures, and planning joint cyber defense operations.
  4. Conclusion: CISA recognizes the need for agility, collaboration, and innovation in its approach. The agency is committed to working with various stakeholders, including government agencies, the private sector, and international allies, to achieve its cybersecurity goals.

There are some questions that remain unanswered with the document:

  1. How will the collaboration between CISA and other stakeholders evolve to address the dynamic nature of cyber threats? The DHS bi-weekly call is a good start for this but it’s one-way. There are many programs from DHS and CISA that support the private sector now.
  2. As technology continues to advance rapidly, how will CISA’s strategies adapt to ensure that emerging technologies are secure and trustworthy? My guess is that CISA as a government agency will not address this because it hinders the “free market” but there are so many products out there that it’s hard to know which are really valuable.
  3. Given the emphasis on collaboration, how can organizations, both public and private, be incentivized to actively participate and share information to enhance national cybersecurity? If your company is big enough to join the ISAC (Information Sharing and Analysis Center) for the sector, do it! If you aren’t, I suggest joining Infragard as a first step in connecting with the government. You will find it opens doors.

References:

CISA Cybersecurity Strategic Plan FY2024-2026


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Verified by MonsterInsights