The Cybersecurity and Infrastructure Security Agency (CISA) today debuted its cyber plan for the next three years, noting that the agency’s planning document builds on the White House’s National Cybersecurity Strategy released earlier this year.
The 36-page document has three main goals for fiscal years (FY) 2024-2026: address immediate threats; harden the terrain; and drive security at scale.
“The National Cybersecurity Strategy sets forth a vision and a plan to change the trajectory of our national cybersecurity risk,” CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein wrote in an Aug. 4 blog. “Now it’s up to all of us, government and private sector, domestic and international, to execute.”
“That’s where our Cybersecurity Strategic Plan comes in,” Goldstein said. “Where the National Cyber Strategy calls for foundational shifts to help America outpace our adversaries and set a national agenda on our terms rather than theirs, and CISA’s Strategic Plan outlines how we’ll work together as a unified agency grounded in common values, our Cyber Strategic Plan focuses on the ‘how’ and – of critical importance – how we’ll know if we’re making progress.”
Perhaps most notably, CISA’s cybersecurity strategy goes beyond overarching goals and spells out specific measures of effectiveness – not just measuring whether the agency has done the work, but whether the work is making the country more secure.
Throughout the plan, nearly 30 measures of effectiveness are outlined. For example, CISA will measure improvements in the time-to-detect adversary activity; in the time-to-fix Known Exploited Vulnerabilities; in adoption of the Cybersecurity Performance Goals; and in the number of government entities using the secure DOTGOV domain, among others.
“Many of these measures are hard, both to measure and to achieve,” Goldstein said. “But we must show value to our stakeholders and show impact to every American if we are to achieve the more secure future we collectively seek.”
CISA’s first goal – addressing immediate threats – has three main objectives that will make it increasingly difficult for adversaries to achieve their goals by targeting American and allied networks.
The strategy notes that the agency will work with partners to gain visibility into the breadth of intrusions targeting the country, enable the disruption of threat actor campaigns, ensure that adversaries are rapidly evicted when intrusions occur, and accelerate mitigation of exploitable conditions that adversaries recurringly exploit.
Hardening the terrain consists of catalyzing, supporting, and measuring adoption of strong practices for security and resilience that measurably reduce the likelihood of damaging intrusions.
CISA pledged to provide actionable and usable guidance and direction that helps organizations prioritize the most effective security investments first and leverage scalable assessments to evaluate progress by organizations, critical infrastructure sectors, and the nation.
The final goal – driving security at scale – involves prioritizing cybersecurity as a fundamental safety issue and asking more of technology providers to build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency into their security practices so that customers clearly understand the risks they are accepting by using each product.
This high-level goal also envelops the job of understanding and reducing the risks posed by emerging technologies – like AI – and contributing to efforts to build a national cybersecurity workforce that can address the threats of tomorrow and reflects the diversity of the country.
“Ultimately cybersecurity is a whole of CISA, whole of government, whole of nation mission. It takes every one of us to contribute to our individual and societal security. The risks are severe and mounting, the hurdles are high. But they are surmountable,” Goldstein wrote. “Through our shared efforts, we believe 2023 can be an inflection point when we shift the arc of national risk to create a safer future for generations to come.”
CISA’s plan for the next three years builds on its strategic plan that was released last year, which sketches out four major goals for FY 2023-2025 to spearhead national cyber defense efforts, reduce risks to and strengthen resilience of critical infrastructure, strengthen operational collaboration and information sharing, and unify as “One CISA.”