The Cybersecurity and Infrastructure Security Agency (CISA) last Friday released a strategic plan that puts forth enduring goals of addressing immediate threats, strengthening security and resiliency, and scaling security across the board from realizing it is a matter of safety to building products that are cyber secure.
The FY2024-2026 Cybersecurity Strategic Plan is guided by the 2023 National Cybersecurity Strategy issued by the Biden administration earlier this year and prioritizes its resources on four sets of stakeholders, including federal civilian agencies, “targets rich, resource poor entities” like state, local, tribal, and territorial partners, critical infrastructure organizations that perform national critical functions, and technology and cyber security companies that can scale cybersecurity.
Each enduring goal includes three objectives, all of which have been advocated by CISA and others previously. For example, as part of driving security at scale, the plan outlines the need for built-in safety and says CISA “will produce and regularly update criteria and practices to develop and maintain products that are secure by design and default, and work with partners to assess the extent to which technology products adopt these clearly defined practices.”
CISA’s leadership under Director Jen Easterly has been advocating the need for secure-by-design with all software products.
Each objective includes measures of effectiveness. For the objective of driving trustworthy technology products, CISA says this will require more technology providers to publish detailed threat models of what they are trying to protect and from whom, and increase the number of these providers that regularly and publicly attest to implementing specific controls in the Secure Software Development Framework.
“Through the implementation of this strategy, we will first focus our efforts and energy to ensure our core cybersecurity functions are executed to the greatest effect,” CISA says in the plan. “We must get the fundamentals right. We will optimize our cyber defense operations to identify, prevent, and address acute threats and vulnerabilities, and mitigate incidents more quickly. We will provide innovative shared services to directly address risks as well as actionable and practical guidance that helps defenders prioritize investments to address the most likely impactful threats.”