Critical Infrastructure Security, Governance, Risk and Compliance

CISA strategic plan aligns with National Cybersecurity Strategy

The CISA logo is seen hanging on a blue wall

The official seal of the Cybersecurity and Infrastructure Agency is seen at the CISA headquarters in Arlington, Va. CISA released its annual vulnerability disclosure platform report, detailing the impact of outside security research on federal civilian systems. (Department of Homeland Security)

The Cybersecurity and Infrastructure Security Agency (CISA) on Friday released an update to its comprehensive strategic plan.

The plan for fiscal 2024-2026 is aligned with the National Cybersecurity Strategy released earlier this year by the Biden administration and is “a blueprint for how the agency will pursue a future in which damaging cyber intrusions are a shocking anomaly,” according to CISA.

Released in March by the White House, the National Cybersecurity Strategy calls on governments and the private sector to collaborate on addressing the country’s collective digital security by moving the responsibility of securing technology from users to manufacturers and to compel long-term investment in the way technology is designed. 

The administration and the Office of the National Cyber Director released the workforce development component of the strategy on Monday that aims to build up the nation's cybersecurity skills and capabilities.

CISA is the nation’s cyber defense agency and the national coordinator for critical infrastructure security. The three main goals that will guide the agency’s mission include:

  • Addressing immediate threats by making it increasingly difficult for adversaries to achieve their goals by targeting American and allied networks; 
  • Hardening the terrain by adopting strong practices for security and resilience that measurably reduce the likelihood of damaging intrusions; and 
  • Driving security at scale by prioritizing cybersecurity as a fundamental safety issue and asking more of technology providers to build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency into their security practices so that customers clearly understand the risks they are accepting by using each product.

“The next three years will set a new course for CISA and for national cybersecurity. … Together with our partners, we hope to look back on 2023 as the point when the trajectory of national cybersecurity risk began to change for the better,” the plan concludes.

Cybersecurity experts applauded CISA’s updated plan on Friday. 

Tom Kellerman, senior vice president of cyber strategy at Contrast Security, said he was heartened by the three key strategies, adding that “the gloves are now off so as to disrupt cyberattack campaigns.”

Roger Grimes, data-driven defense evangelist at KnowBe4, said the strategic plan formalizes the work the agency has already been working to put in place, adding that “CISA has made tremendous headway” in most of the initiatives already.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Related

Details on 2021 Chemonics hack remain scant

International development firm Chemonics, which mainly caters to the United States Agency of International Development, has not yet provided more extensive information regarding a cyberattack that compromised more than 6,000 individuals initially reported in July 2021, reports FedScoop.

Media, think tank, service spoofing conducted in APT42 cyberespionage operations

Iranian state-backed hacking operation APT42 — also known as Mint Sandstorm, Mint Phosphorous, Charming Kitten, and TA453 — has spoofed major news organizations, including The Washington Post, think tanks, such as the McCain Institute, and internet services, such as Gmail, YouTube, and Google Drive, as part of cyberespionage campaigns against journalists and human rights activists, reports CyberScoop.

Feds warn of new Kimsuky phishing attack techniques

The U.S. State Department, National Security Agency, and the FBI have issued a joint advisory warning organizations across the country, especially educational entities, non-profits, and think tanks, regarding the increasingly advanced phishing techniques leveraged by North Korean state-backed hacking group Kimsuky, also known as APT43, Emerald Sleet, and Velvet Chollima, Nextgov reports.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.