The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released its Strategic Plan 2023-2025 anchored by goals to strengthen cyber defenses, increase resilience, build and grow critical partnerships, and nurture its workforce to thrive as “One CISA.”
At the beginning of the document, CISA Director Jen Easterly wrote that the plan “represents a forward-leaning, unified approach to achieving our vision of ensuring secure and resilient critical infrastructure for the American people.”
“The risks we face are complex, geographically dispersed, and affect a diverse array of our stakeholders, including federal civilian government agencies, private sector companies, state, local, tribal, and territorial (SLTT) governments, and ultimately the American people,” Easterly wrote. “It is our duty to work with our stakeholders to mitigate these risks to preserve our national security, economic stability, and the health and safety of all our citizens.”
The plan builds on and aligns with the Department of Homeland Security Strategic Plan for Fiscal Years 2020–2024, with a focus on promoting “unity of effort across the agency and our partners” and defining “success for CISA as an agency.”
“Our agency must execute this Strategic Plan in a complex landscape of ever-evolving risks to the nation’s infrastructure and networks. Our increasingly interconnected, global cyberspace presents profound challenges in which we face 24/7/365 asymmetric, cyber threats with large scale real-world effects. Regardless of mission, industry, or sector, all organizations share the same overarching concerns,” the plan states. “These include increasing adversary sophistication, capability, and boldness; an expanding cyberattack surface created through highly connected and interdependent technologies; and the need to rapidly increase the pool of highly skilled cyber talent for today and the foreseeable future. Outpacing our rivals’ and adversaries’ cyber capabilities is a national security imperative.”
The report stresses the cornerstone of the agency’s relationship with industry and other private stakeholders: “CISA was designed to be something special and different. Not another bureaucracy, but something much more akin to a public-private collaborative. Our core values reflect this design and underpin everything we do at CISA.”
The strategic plan is divided into four goals rooted in CISA’s core values of collaboration, innovation, service, and accountability.
The first is cyber defense, with CISA focusing on “minimizing the impact of attempts to infiltrate, exploit, disrupt, or destroy critical infrastructure systems and networks and the [National Critical Functions] they enable.”
“Since we cannot mitigate risks we cannot see, we will actively hunt for cyber threats and engage the cybersecurity community to drive disclosure and mitigation of critical vulnerabilities. Additionally, we must advance security in the broader cyber ecosystem. Driving toward a future where software and hardware are designed and built with security as a top priority is a necessity, particularly in ICS and OT, which directly underpin critical functions,” the plan states. “Beyond secure technology, it is also essential to address workforce shortages in our cyber ecosystem, to include ensuring that our cybersecurity workforce reflects the diversity of our country and is ready to meet the breadth of challenges ahead.”
The goal’s objectives are to “enhance the ability of federal systems to withstand cyberattacks and incidents,” “increase CISA’s ability to actively detect cyber threats targeting America’s critical infrastructure and critical networks,” “drive the disclosure and mitigation of critical cyber vulnerabilities,” and “advance the cyberspace ecosystem to drive security-by-default.”
The second goal in the plan is risk reduction and resilience, centered around a national effort “identifying which systems and assets are truly critical to the nation, understanding how they are vulnerable, and taking action to manage and reduce risks to them.”
“To better meet the diverse needs of our stakeholders and focus our efforts on the nation’s most critical infrastructure, CISA must further deepen its understanding of current and future critical infrastructure risks to the nation. We identify and analyze risks using NCF which are, simply put, what we need critical infrastructure to do to achieve national security, economic security, and public health and safety. We use the NCF to frame the analysis that tells us where risk concentrates in entities, assets, systems, technologies, and commodities so we can focus our efforts where they will have the greatest impact in reducing risk to the nation,” the plan continues. “This approach allows us to anticipate the sources of potentially cascading impacts and plan for effective mitigations in today’s interconnected infrastructure environment.”
The objectives to meet this goal are “expand visibility of risks to infrastructure, systems, and networks,” “advance CISA’s risk analytic capabilities and methodologies,” “enhance CISA’s security and risk mitigation guidance and impact,” “build greater stakeholder capacity in infrastructure and network security and resilience,” “increase CISA’s ability to respond to threats and incidents,” and “support risk management activities for election infrastructure.”
The strategic plan’s third goal is operational collaboration, with a vow to “approach every partnership with humility, transparency, gratitude, and a firm resolution to add value wherever possible.”
“This requires local, regional, and national presence and active engagement. It also requires developing a recognizable CISA brand and that we reliably deliver on our brand promise to defend and protect critical infrastructure. We will work through the partnership structure defined in the National Infrastructure Protection Plan (“National Plan”) to engage SRMAs and critical infrastructure sector partners, fulfilling our responsibilities as the national coordinator for critical infrastructure security and resilience,” CISA stated. “We will also conduct local, regional, and national stakeholder outreach through a robust, flexible, and highly capable regional presence. Comprising this presence will be functional experts and supporting personnel who deliver CISA products, services, and information while also collecting the stakeholder feedback necessary to continuously refine and improve our offerings and inform our focus areas. Throughout our engagements—whether one-to-many or one-to-one—we will provide value to the public, our partners, and stakeholders while aggressively protecting their privacy, civil rights, and civil liberties.”
Stated objectives to meet this goal are “optimize collaborative planning and implementation of stakeholder engagements and partnership activities,” “fully integrate regional offices into CISA’s operational coordination,” “streamline stakeholder access to and use of appropriate CISA programs, products, and services,” “enhance information sharing with CISA’s partnership base,” and “increase integration of stakeholder insights to inform CISA product development and mission delivery.”
The final goal is agency unification through integrated functions, capabilities, and workforce to “work together as One CISA.”
“This means we must streamline existing operations and adopt agile, new technologies that will enable customer service and improved timely, modern, and secure services,” the strategic plan says. “Through enhanced governance, management, and prioritization, we will break down organizational silos, grow the value of our services, and increase stakeholder satisfaction.”
Objectives to meet this goal are “strengthen and integrate CISA governance, management, and prioritization,” “optimize CISA business operations to be mutually supportive across all divisions,” “cultivate and grow CISA’s high-performing workforce,” and “advance CISA’s culture of excellence” with a measurement approach to gauge “improved psychological safety, diversity, and reduced burnout of the CISA workforce, which is imperative to enabling an innovative and motivated culture.”
