The Cybersecurity and Infrastructure Security Agency (CISA) has released its FY2024-2026 Strategic Plan, which builds on the cybersecurity strategy published by the White House.
The CISA highlighted that the US is at a “moment of opportunity” following the collaborative vision outlined in the Biden-Harris Administration’s 2023 US National Cybersecurity Strategy announced in March 2023.
The Strategic Plan sets out a vision and plan to change the trajectory of the US’ national cybersecurity risk. The document is set to compliment the national strategy.
“Where the National Cyber Strategy calls for foundational shifts to help America outpace our adversaries and set a national agenda on our terms rather than theirs, and CISA’s Strategic Plan outlines how we’ll work together as a unified agency grounded in common values, our Cyber Strategic Plan focuses on the “how” and – of critical importance – how we’ll know if we’re making progress,” a statement by Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA noted.
The Plan notes that too often threat actors’ success is enabled by an environment of insecurity, in which enterprises are too difficult to defend, and technology products are too vulnerable to protect.
It goes on to say that the steps to take to overcome this are known. The document highlights that the design and development of products must change so that exploitable vulnerabilities do not reach market.
The Plan also emphasizes how adversaries, incidents and vulnerabilities must be quickly detected in order to mitigate issues before harm occurs.
“We must help organizations, particularly those that are “target rich, resource poor,” take the fewest possible steps to drive the most security impact,” the Plan states.
The plan outlines three goals:
- Goal 1: Address Immediate Threats. The understanding of immediate and emerging threats will enable CISA to prioritize investment in the security controls, product attributes, and services that most effectively reduce risks.
- Goal 2: Harden the Terrain. As CISA provides guidance and services that help organizations prioritize reductions in enterprise risk, they will more clearly define the risks that can be most effectively addressed by safer products.
- Goal 3: Drive Security at Scale. As security advances across the product lifecycle, CISA aims to force threat actors to adopt more time-consuming and expensive tactics, reducing the prevalence of attacks.
CISA notes that as it implements the Strategic Plan, changes to the threat and technology environments may require periodic re-evaluation of strategic priorities. However, the fundamental security shifts toward which it will drive, and the long-term investments defined by this Plan will endure.