What You Need to Know About CISA's New Cybersecurity Strategic Plan

The Cybersecurity and Infrastructure Security Agency just released its FY2024-2026 Cybersecurity Strategic Plan. This new Strategic Plan was written to align with the broader White House 2023 U.S. National Cybersecurity Strategy released in March 2023 and the CISA’s 2023–2025 Strategic Plan released in September 2022. This new plan guides CISA’s efforts in pursuit of a new vision for cybersecurity: a vision grounded in collaboration, in innovation, and in accountability.

The CISA Mission is well-summarized in the National Strategy:

“Defending the systems and assets that constitute our critical infrastructure is vital to our national security, public safety, and economic prosperity ... We aim to operationalize an enduring and effective model of collaborative defense that equitably distributes risk and responsibility and delivers a foundational level of security and resilience for our digital ecosystem.”

To accomplish this, CISA details 3 key intertwined goals in its new plan:

Goal 1: Address Immediate Threats

Our understanding of immediate and emerging threats will enable us to prioritize investment in the security controls, product attributes, and services that most effectively reduce risks.

Goal 2: Harden the Terrain

We will catalyze, support, and measure adoption of strong practices for security and resilience that measurably reduce the likelihood of damaging intrusions. We will provide actionable and usable guidance and direction that helps organizations prioritize the most effective security investments first and leverage scalable assessments to evaluate progress by organizations, critical infrastructure sectors, and the nation.

Goal 3: Drive Security at Scale

CISA will drive prioritization of cybersecurity as a fundamental safety issue and ask more of technology providers to build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency into their security practices so that customers clearly understand the risks they are accepting by using each product. Even as we confront the challenge of unsafe technology products, we must ensure that the future is more secure than the present—including by looking ahead to reduce the risks and fully leverage the benefits posed by artificial intelligence and the advance of quantum-relevant computing.

The CISA Cybersecurity Strategic Plan aligns the following nine objectives under the three intertwined goals:

1. Increase visibility into, and ability to disrupt, cybersecurity threats and campaigns.
2. Coordinate disclosure of, hunt for, and drive mitigation of critical and exploitable vulnerabilities.
3. Plan for, exercise, and execute joint cyber defense operations and coordinate the response to significant cybersecurity incidents.
4. Understand how attacks really occur—and how to stop them.
5. Drive implementation of measurably effective cybersecurity investments.
6. Provide cybersecurity capabilities and services that fill gaps and help measure progress.
7. Drive development of trustworthy technology products.
8. Understand and reduce cybersecurity risks posed by emergent technologies.
9. Contribute to efforts to build a national cyber workforce.

And under those nine objectives, there are over 30 outcome-based measures of effectiveness to drive accountability and ensure CISA’s efforts have a measurable impact in reducing cybersecurity risk.

Overall, CISA’s new Cybersecurity Strategic Plan categorically sets a clear vision for how the federal government can better preemptively secure and defend US critical infrastructure.  And the Plan goes on to drive the point that this can only be done with true collaboration between the public and private sector. 

Many organizations, especially those without a clear information security roadmap or just not knowing if their plan may be missing something will benefit from reviewing the Cybersecurity and Infrastructure Security Agency's (CISA) 2023-2025 Strategic Plan. 

Ingalls Government Programs specializes in DoD cyber solutions with a full suite of technology-enabled, integrated cybersecurity risk management services. Our team is simplifying the path to Authorization to Operate (ATO) through the development and implementation for the Cybersecurity Assurance Readiness (CSAR) Process and is a Registered Practitioner Organization for the Cybersecurity Maturity Model Certification (CMMC). We also exist to support the defense industrial base in gaining awareness in information security topics and specialize in the following:

•   DoD Risk Assessment
•   Information System Security Manager (ISSM)
•   Information System Security Officer (ISSO)
•   DoD Authorization to Operate (ATO) Support
•   Cybersecurity Assurance Readiness (CSAR)
•   Defense Industrial Base Prep
•   DFARS Compliance Expertise
•   CMMC RPO
•   vCMMC RP
•   Incident Response Remediation
•   DevSecOps Maturity Review
•   Cybersecurity innovative research and development

We also offer Professional Services to help our clients build a tailored and comprehensive risk management program.  These services include:

•   Virtual Chief Information Security Officer (vCISO)
•   Information Security Policy Development
•   Risk Assessments
•   Incident Response Readiness
•   Vulnerability Assessments
•   Penetration Testing

No matter what stage of cybersecurity readiness your company is at, we can assist.  Are you ready to strengthen your cyber security roadmap to align with the CISA Strategic Plan and build a stronger cyber defensive posture to meet government cybersecurity standards? Learn more about our government programs and professional services by replying directly to this email or filling out a contact form.

FY2024-2026 Cybersecurity Strategic Plan: https://www.cisa.gov/sites/default/files/2023-08/FY2024-2026_Cybersecurity_Strategic_Plan.pdf