For the second time since it was founded, the Cybersecurity and Infrastructure Security Agency (CISA) has published a comprehensive strategic plan that outlines its alignment with the National Cybersecurity Strategy from fiscal years 2024 through 2026. The prior plan, published in 2022, outlined goals for 2023 to 2025.
The 2024-2026 Strategic Plan is divided into four central goals: leading the charge on national cyber defense, bolstering critical infrastructure resilience, growing public-private partnerships, and the formation of a streamlined “One CISA.” To a great degree the strategic plan builds on the previously published CISA Strategic Intent and formalizes a number of initiatives the agency is already well underway with.
CISA strategic plan for the next three years casts cybersecurity as a “whole of government” mission
The Strategic Plan builds from three established “enduring goals”: addressing immediate threats, hardening the terrain, and driving security at scale. Some concrete actions mentioned including a call for technology providers to increase “security by design” in their products and to be more transparent about their practices. Some related actions in this area are already underway, such as a newly adopted labeling program for smart devices.
In terms of more specific actions planned for the three year period, Federal Civilian Executive Branch (FCEB) agencies can expect more cybersecurity requirements. This is a trend that the Biden administration has already established, but CISA is signaling its intention to “leverage our authorities to the maximum extent” to push stronger cybersecurity practices in these agencies.
There will also be increased roles and responsibilities for what CISA calls “network defenders,” or private partners that maintain critical systems likely to be targeted by hackers. And many different types of organizations are looking at new disclosure rules, but critical infrastructure companies are at the top of the list. Greater demands may also be put on technology providers that make products used in support of National Critical Functions (a categorization created by CISA in 2019 that mostly involves the 16 sectors designated as critical infrastructure).
On the subject of critical infrastructure, CISA is also pledging to expand visibility and catch emerging risks and threats. Part of this will involve improving its analytic capabilities and methodologies. The agency’s risk mitigation guidance is also in line for an update.
CISA’s streamlining will also include improved integration between the agency’s headquarters and regional staff at national touchpoints, with extensions of Sector and Government Coordinating Councils (SCC and GCC) for improved regional communication. Private stakeholders can also expect enhancements to the Federal Senior Leadership Council (FSLC) and Information Sharing and Analysis Organizations (ISAOs) that they collaborate with.
Cybersecurity strategy calls for rapid maturation of a young agency
CISA was only formed in 2018, but has rapidly become the point agency for critical matters of national cyber defense. The new strategic plan sees it continuing and growing in that role, but also focusing on delegating priority threat responsibilities to those best suited to handle them. This is in keeping with the terms put forward by the National Cybersecurity Strategy released in March, which also sought to prioritize and divide responsibilities in accordance with capability to respond.
In practical terms, what this looks like in the short term will likely be the development of more shared services that help critical infrastructure partners to reduce security costs. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, said that “target rich and resource poor” organizations were going to be the agency’s immediate priority.
Jason Keirstead, Vice President of Collective Threat Defense for Cyware, notes that numerous highly vulnerable organizations are in need of immediate assistance: “CISA is taking a pragmatic and holistic approach to their 2024-2026 strategic plan. Organizations lack the resources to effectively defend against known and emerging threats, and to outpace the adversary, the industry must collaborate more often and more effectively. Even organizations with mature cybersecurity programs often struggle to adequately safeguard every vulnerability. CISA’s focus on collaboration, intelligence sharing, and scalability has potential to measurably strengthen our overall security posture.”
The strategic plan includes expansion of the involvement of international partners as well, and forming coalitions to counter major threats. These coalitions are also meant to shore up global supply chain security and reinforce global norms of responsible state behavior. The strategic plan does not go into detail as to what this will look like in terms of cybersecurity strategy, the inter-agency Joint Ransomware Task Force (JRTF) formed in 2022 has shown prior indications of more aggressive actions against the type of major criminal actor that temporarily paralyzed Colonial Pipeline and JBS in 2021.
Tom Kellermann, SVP of cyber strategy at Contrast Security, sees this as one of the key elements of the cybersecurity strategy: “I applaud this holistic and multidisciplinary Strategic Plan. I am heartened by three key stratagems. Firstly, the reality that the gloves are now off so as to disrupt cyberattack campaigns. Second, the hunt for and disclosure of critical vulnerabilities as zero-day exploits abound. Finally, the provision of cybersecurity capabilities and services to critical infrastructures is paramount for our national security.”
CISA is also thinking about the more distant future. The strategic plan includes study of and investment in emergent technologies related to quantum computing, which some experts believe could be viable in about a decade. Quantum computing represents an unprecedented security threat, with the potential capability of cracking any present encryption scheme within seconds; research is already underway on a variety of new encryption schemes robust enough to withstand it.
Another element of the cybersecurity strategy that is not expanded on but that might raise some eyebrows is a call to support development of a “digital identity ecosystem.” This may refer to ongoing efforts to improve how federal benefits are accessed online, something that became a serious issue during the Covid-19 pandemic as an estimated hundreds of billions of dollars in fraudulent benefits were stolen.
Wade Ellery, Field CTO at Radiant Logic, notes that this may also apply to current federal efforts to implement Zero Trust across agencies as part of its broad cybersecurity strategy: “The recent update to CISA’S comprehensive plan marks a significant stride in the nation’s ongoing efforts to bolster its digital security landscape. An identity-focused strategy stands out as an indispensable and highly effective approach to fortifying systems across the U.S. Managing identities have become more complicated for organizations, regardless of industry or size. As the government looks to implement a comprehensive plan, it must take into consideration the types of attacks plaguing the U.S. – Identity-related attacks make up the bulk of cyber-attacks, calling into question the way businesses handle their identity data.
“Having clean, unified Identity data has emerged as a central pillar in safeguarding sensitive information, fending off cyber threats and ensuring the integrity of digital environments. This approach centers on verifying and managing the identities of users and allows for full visibility and control over who can access specific resources within a system. This fine-grained access control, integrated into a Zero Trust Architecture, can help minimize the attack surface, limit the risk of unauthorized parties entering the system and detect threats early on,” added Ellery.