“CISA Cybersecurity Strategic Plan”
CISA, August 4, 2023
By Cybersecurity & Infrastructure Security Agency (CISA)
“The Cybersecurity and Infrastructure Security Agency’s (CISA) 2023-2025 Strategic Plan is the agency’s first, comprehensive strategic plan since CISA was established in 2018. This is a major milestone for the agency.”
The FY2024-2026 Cybersecurity Strategic Plan [PDF] guides CISA’s efforts in pursuit of a new vision for cybersecurity: a vision grounded in collaboration, in innovation, and in accountability.
Aligned with the National Cybersecurity Strategy [PDF] and nested under CISA’s 2023–2025 Strategic Plan, the Cybersecurity Strategic Plan provides a blueprint for how the agency will pursue a future in which damaging cyber intrusions are a shocking anomaly, organizations are secure and resilient, and technology products are secure by design and default. To this end, the Strategic Plan outlines three enduring goals:
- Address Immediate Threats by making it increasingly difficult for our adversaries to achieve their goals by targeting American and allied networks;
- Harden the Terrain by adopting strong practices for security and resilience that measurably reduce the likelihood of damaging intrusions; and
- Drive Security at Scale by prioritizing cybersecurity as a fundamental safety issue and ask more of technology providers to build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency into their security practices so that customers clearly understand the risks they are accepting by using each product.
Importantly, this Strategic Plan also has a unique focus on outcome-based measures of effectiveness to ensure CISA’s efforts have a measurable impact in reducing cybersecurity risk.
Cybersecurity is a shared journey and a shared challenge that the entire nation must address together. As America’s Cyber Defense Agency, CISA serves a foundational role in the global cybersecurity community, but true and lasting security in cyberspace can only be achieved collaboratively. Government at all levels, industry, technology providers, the global community of cyber defenders, individual citizens, and others must all work together to achieve a secure cyber future. [emphasis added]
The Cybersecurity and Infrastructure Security Agency’s (CISA) 2023-2025 Strategic Plan [PDF] is the agency’s first, comprehensive strategic plan since CISA was established in 2018. This is a major milestone for the agency: [emphasis added] The CISA Strategic Plan will focus and guide the agency’s efforts over the next three years.
The Strategic Plan builds on the foundation created through the CISA Strategic Intent published in August 2019 to guide the agency’s work and create unity of effort. In our role as the nation’s cyber defense agency and the national coordinator for critical infrastructure security, CISA works with critical infrastructure partners every day to address the evolving threat landscape.
That approach is reflected in the CISA Strategic Plan, which focuses on how we will collectively reduce risk and build resilience to cyber and physical threats to the nation’s infrastructure. To achieve the outcome of reduced risk and increased resilience, the CISA Strategic Plan describes four ambitious goals. Three of these goals focus on “how” the agency will work to reduce risk and build resilience, while the fourth goal focuses internally to ensure the agency is in a strong position to execute the CISA Strategic Plan, working as One CISA.
With this in mind, the Strategic Plan sets CISA on a path over the next three years to drive change in four key areas:
- First, we will spearhead the national effort to ensure the defense and resilience of cyberspace. Serving as America’s cyber defense agency, we will spearhead the national effort to defend against cyber threat actors that target U.S. critical infrastructure, federal and SLTT governments, the private sector, and the American people. CISA must lean forward in our cyber defense mission toward collaborative, proactive risk reduction. Working with our many partners, it is CISA’s responsibility to help mitigate the most significant cyber risks to the country’s National Critical Functions, both as these risks emerge and before a major incident occurs.
- Second, we will reduce risks to, and strengthen the resilience of, America’s critical infrastructure. Our safety and security depend on the ability of critical infrastructure to prepare for and adapt to changing conditions and to withstand and recover rapidly from disruptions. CISA coordinates a national effort to secure and protect against critical infrastructure risks. This national effort is centered around identifying which systems and assets are truly critical to the nation, understanding how they are vulnerable, and taking action to manage and reduce risks to them. We serve as a key partner to critical infrastructure owners and operators nationwide to help reduce risks and build their security capacity to withstand new threats and disruptions, whether from cyberattacks or natural hazards and physical threats.
- Third, we will strengthen whole-of-nation operational collaboration and information sharing. At the heart of CISA’s mission is partnership and collaboration. Securing our nation’s cyber and physical infrastructure is a shared responsibility. We are challenging traditional ways of doing business and actively working with our government, industry, academic, and international partners to move toward more forward-leaning, action-oriented collaboration. We are also committed to growing and strengthening our Agency’s regional presence to more effectively deliver the assistance our stakeholders need.
- And fourth, foundational to our success, we will unify as One CISA through integrated functions, capabilities, and workforce. We will succeed because of our people. We are building a culture of excellence based on core values and core principles that prize teamwork and collaboration, innovation and inclusion, ownership and empowerment, and transparency and trust. As one team unified behind our shared mission, we will “work smart” to operate in an efficient and cost-effective manner.
While the Strategic Plan highlights CISA’s overall measurement approach and representative outcomes for each objective, the agency is developing internal measures of performance and effectiveness to better track progress toward reducing risk and achieving its goals.
We invite you to read the full CISA Strategic Plan [PDF].
About the Author:
CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. We are designed for collaboration and partnership. Learn about our layered mission to reduce risk to the nation’s cyber and physical infrastructure.