Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News

CISA Strategic Plan focuses on reducing risk, building resilience to cyber and physical threats

September 14, 2022
CISA Strategic Plan focuses on reducing risk, building resilience to cyber and physical threats

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) rolled out Tuesday its initial comprehensive plan of action to focus on and guide the agency’s efforts over the next three years. The Strategic Plan communicates the agency’s mission and vision, promotes the unity of effort across the agency and partners, and defines success for CISA as an agency. It also describes the stakeholder, policy, and operational context ‘in which we must perform and presents the strategic changes CISA will make to better execute our vital mission over the next three years.’ 

The CISA 2023-2025 Strategic Plan represents a forward-leaning, unified approach to achieving the agency’s vision of ensuring secure and resilient critical infrastructure for the American people. The document builds on and aligns with the Department of Homeland Security (DHS) Strategic Plan for Fiscal Years 2020 – 2024. CISA will implement the Strategic Plan through the agency’s division and office-level Annual Operating Plans (AOP).

Over the period, the agency is set to spearhead the national effort to ensure the defense and resilience of cyberspace; reduce risks to, and strengthen the resilience of, America’s critical infrastructure; strengthen whole-of-nation operational collaboration and information sharing; and unify as ‘One CISA’ through integrated functions, capabilities, and workforce. 

“At CISA, we lead the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day,” Jen Easterly, CISA director, wrote in the Strategic Plan. “The risks we face are complex, geographically dispersed, and affect a diverse array of our stakeholders, including federal civilian government agencies, private sector companies, state, local, tribal, and territorial (SLTT) governments, and ultimately the American people. It is our duty to work with our stakeholders to mitigate these risks to preserve our national security, economic stability, and the health and safety of all our citizens,” she added. 

In its Strategic Plan, CISA focuses on minimizing the impact of attempts to infiltrate, exploit, disrupt, or destroy critical infrastructure systems and networks and the NCF they enable. “We will advance our work as the operational lead for Federal Civilian Executive Branch (FCEB) cybersecurity and as the federal cybersecurity shared services provider. We must ensure that federal civilian agencies have access to the best cybersecurity tools, incident response support, and risk management capabilities to safeguard the networks that support our nation’s essential operations,” the plan outlined.

The agency identified that since it cannot mitigate risks that cannot be seen, it will actively hunt for cyber threats and engage the cybersecurity community to drive disclosure and mitigation of critical vulnerabilities. “Driving toward a future where software and hardware are designed and built with security as a top priority is a necessity, particularly in ICS and OT, which directly underpin critical functions,” it added. 

Beyond secure technology, it is also essential to address workforce shortages in our cyber ecosystem to ensure that the cybersecurity workforce reflects the diversity of our country and is ready to meet the breadth of challenges ahead, the Strategic Plan said. “As the nation’s cyber defense agency, we understand that effective public and private sector partnerships and collaboration are mission critical and the only way to achieve a secure and resilient cyber ecosystem that powers an innovative and prosperous nation,” it added.

The objectives of the agency’s cyber defense approach include enhancing the ability of federal systems to withstand cyber attacks and incidents and increasing CISA’s ability to actively detect cyber threats that target the nation’s critical infrastructure and critical networks. It also aims to drive the disclosure and mitigation of critical cyber vulnerabilities and advance the cyberspace ecosystem to drive security-by-default. 

CISA coordinates a national effort to secure and protect against critical infrastructure risks and build its security capacity to withstand new threats and disruptions, whether from cyberattacks or natural hazards and physical threats. “Critical infrastructure is divided into 16 sectors, each with a designated Sector Risk Management Agency (SRMA) responsible for helping owners and operators manage risk in that sector. CISA serves as the SRMA for eight of the 16 designated critical infrastructure sectors, fulfilling a unique partnership role for those sectors’ risk management efforts,” the Strategic Plan said.

The document added that CISA also supports the other SRMAs in their security and resilience efforts by assisting with identifying and managing risks and providing access to CISA capabilities and resources. “Both in its capacity as an SRMA for multiple sectors and as a supporter and facilitator of the other SRMAs, CISA has a pivotal role in securing our nation’s most critical infrastructure,” it added.

The objectives of the agency’s risk reduction and resilience outlook include expanding the visibility of risks to infrastructure, systems, and networks while advancing the agency’s risk analytic capabilities and methodologies. It also boosts CISA’s security and risk mitigation guidance and impact, builds greater stakeholder capacity in infrastructure and network security and resilience, and increases CISA’s ability to respond to threats and incidents. 

Through partnerships with federal agencies and others, CISA will expand and strengthen shared commitments, provide products and services that make continued investment in infrastructure security and resilience the smart and easy choice, and enhance information sharing and collaboration at the local, regional, and national levels. “We will use our full suite of convening authorities and relationship management capabilities to expand and mature partnerships with stakeholders and facilitate information sharing,” the Strategic Plan added.

It will optimize collaborative planning and implementation of stakeholder engagements and partnership activities, integrate regional offices into CISA’s operational coordination, and streamline access to and use appropriate CISA programs, products, and services. It also enhances information sharing with CISA’s partnership base and boosts stakeholder insights integrations to inform CISA product development and mission delivery. 

Lastly, the CISA said it must unify as an agency to work together as One CISA, to ‘streamline existing operations and adopt agile, new technologies that will enable customer service and improve timely, modern, and secure services.’ Through enhanced governance, management, and prioritization, the agency will break down organizational silos, grow the value of its services, and increase stakeholder satisfaction. 

Here the objectives include strengthening and integrating CISA governance, management, and prioritization, optimizing the agency’s business operations to be mutually supportive across all divisions, cultivating and growing the agency’s high-performing workforce, and advancing its culture of excellence.

Earlier this week, the CISA issued a Request for Information (RFI) soliciting public input on approaches to implementing the cyber incident reporting requirements. The move to receive feedback from the public comes as CISA develops proposed regulations following the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022), which was signed into law by U.S. President Joe Biden in March.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation