CISA Cybersecurity Strategic Plan: Shifting the Arc of National Risk to Create a Safer Future


By Eric Goldstein, Executive Assistant Director for Cybersecurity

In March, President Biden released the National Cybersecurity Strategy, setting forth a clear and urgent path for our country. As the nation’s Cyber Defense Agency, CISA plays a central role in advancing toward a future where robust collaboration is the norm and where we rebalance the responsibility for cybersecurity to be more effective and more equitable.

To ensure accelerated progress toward this vision, we are proud to release our FY2024-2026 Cybersecurity Strategic Plan.  We know that connected technologies underpin every aspect of our lives, our businesses, our communities, our families, often in ways that allow us to be more connected, productive, efficient than ever before. But malicious cyber actors recognize this dependence as well, and continuously work to exploit it for financial or strategic gain. 

Too often, our adversaries succeed, enabled by an environment of insecurity, in which our enterprises are too difficult to defend, and our technology products are too vulnerable to protect.

The National Cybersecurity Strategy sets forth a vision and a plan to change the trajectory of our national cybersecurity risk. Now it’s up to all of us, government and private sector, domestic and international, to execute. That’s where our Cybersecurity Strategic Plan comes in.   Where the National Cyber Strategy calls for foundational shifts to help America outpace our adversaries and set a national agenda on our terms rather than theirs, and CISA’s Strategic Plan outlines how we’ll work together as a unified agency grounded in common values, our Cyber Strategic Plan focuses on the “how” and – of critical importance – how we’ll know if we’re making progress.  Our Strategic Plan is aligned around three goals:

  • Goal 1: Address Immediate Threats. We will make it increasingly difficult for our adversaries to achieve their goals by targeting American and allied networks. We will work with partners to gain visibility into the breadth of intrusions targeting our country, enable the disruption of threat actor campaigns, ensure that adversaries are rapidly evicted when intrusions occur, and accelerate mitigation of exploitable conditions that adversaries recurringly exploit.
  • Goal 2: Harden the Terrain. We will catalyze, support, and measure adoption of strong practices for security and resilience that measurably reduce the likelihood of damaging intrusions. We will provide actionable and usable guidance and direction that helps organizations prioritize the most effective security investments first and leverage scalable assessments to evaluate progress by organizations, critical infrastructure sectors, and the nation.
  • Goal 3: Drive Security at Scale. We will drive prioritization of cybersecurity as a fundamental safety issue and ask more of technology providers to build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency into their security practices so that customers clearly understand the risks they are accepting by using each product. Even as we confront the challenge of unsafe technology products, we must ensure that the future is more secure than the present – including by looking ahead to reduce the risks and fully leverage the benefits posed by artificial intelligence and the advance of quantum-relevant computing. Recognizing that a secure future is dependent first on our people, we will do our part to build a national cybersecurity workforce that can address the threats of tomorrow and reflects the diversity of our country.

Perhaps most notably, CISA’s cybersecurity strategy goes beyond overarching goals and spells out specific measures of effectiveness – not just measuring whether we’ve done the work, but whether the work is making our country more secure. We will measure improvements in our time-to-detect adversary activity; in the time-to-fix Known Exploited Vulnerabilities; in adoption of our Cybersecurity Performance Goals; in the number of government entities using the secure DOTGOV domain, to name only a few – in fact, we have nearly 30 measures of effectiveness throughout the Strategic Plan. Many of these measures are hard, both to measure and to achieve. But we must show value to our stakeholders and show impact to every American if we are to achieve the more secure future we collectively seek.

Ultimately cybersecurity is a whole of CISA, whole of government, whole of nation mission. It takes every one of us to contribute to our individual and societal security. The risks are severe and mounting, the hurdles are high. But they are surmountable. Through our shared efforts, we believe 2023 can be an inflection point when we shift the arc of national risk to create a safer future for generations to come.