The Cybersecurity & Infrastructure Security Agency (CISA) has released its 2024-2026 Cybersecurity Strategic Plan, which the agency says will change the trajectory of our national cybersecurity risk by focusing not just on how to defend but developing metrics to measure progress.
The plan is centered on three goals that go beyond simple expectations and instead spell out specific measures of effectiveness, primarily that the cybersecurity work undertaken is in fact, making the country more secure.
“We will measure improvements in our time-to-detect adversary activity; in the time-to-fix Known Exploited Vulnerabilities; in adoption of our Cybersecurity Performance Goals; in the number of government entities using the secure DOTGOV domain, to name only a few – in fact, we have nearly 30 measures of effectiveness throughout the Strategic Plan,” said Eric Goldstein, Executive Assistant Director for Cybersecurity. “Many of these measures are hard, both to measure and to achieve. But we must show value to our stakeholders and show impact to every American if we are to achieve the more secure future we collectively seek.”
The 36-page plan does not specifically list the metrics CISA will use to measure the success of each goal, but in most cases simply broadly notes the areas for which it will develop measurements.
Here is a top-down view of what CISA has planned.
CISA will make it increasingly difficult for adversaries to achieve their goals by targeting American and allied networks. The agency pledges to work with partners to gain visibility into the breadth of intrusions targeting our country, enable the disruption of threat actor campaigns, ensure that adversaries are rapidly evicted when intrusions occur, and accelerate mitigation of exploitable conditions that adversaries recurringly exploit.
The document notes the cybersecurity community in general, CISA included, lacks visibility of necessary breadth and depth into cybersecurity threats and adversary campaigns, a situation that must be changed.
“We will achieve this visibility by all available means: through our own sensors and capabilities; by leveraging commercial and public data sources, and by partnering with the private sector, government agencies, and international allies,” CISA states.
CISA will measure success by building a coalition that leverages all available capabilities — federal and those of our partners.
One issue CISA will prioritize is pre-existing vulnerabilities and security weaknesses in critical infrastructure and government networks. Long-term this task will be accomplished by insisting security be baked in during product development.
To have an immediate impact, the agency will take steps to reduce the prevalence of exploitable vulnerabilities by providing authoritative instruction on prioritized mitigations, hunting for exploitable vulnerabilities in domestic networks, and using all possible levers to widely publicize and drive remediation.
By doing so, CISA believes it will gain a persistent understanding of vulnerabilities across the nation’s critical infrastructure and government networks to enable more timely remediation before intrusions occur.
CISA will measure the effectiveness of these actions by the reduction in the time-to-remediate known exploited vulnerabilities across critical infrastructure and government networks, an increase in the percentage of recommendations from CISA’s vulnerability and risk assessments adopted by assessed organizations, and the reduction in the number of vulnerabilities disclosed without appropriate coordination or provision of necessary mitigations.
CISA also recognizes that no single organization can effectively manage, understand, and address the breadth of cyber incidents and threats facing our country. Using the Joint Cyber Defense Collaborative and its expanding regional teams, CISA will serve as an integrator and force multiplier, bringing together government, private sector, and international partners to measurably reduce cyber risk.
The success of this endeavor will be judged by an increase in the volume of unique, timely, and relevant information shared by industry or government partners through CISA’s collaboration channels, an increase in specific actions codified in cyber defense plans adopted by industry and government partners, and an increase in post-incident after-action reports demonstrating that actions developed in cyber defense plans reduced negative outcomes.
CISA will take on the role of cybersecurity mentor, enabling organizations to get the most out of their finite security budget by informing, guiding, and driving the adoption of the most impactful cybersecurity measures by first understanding how attacks occur — not just the initial access, but how the attacker exploited a web of unsafe technology products and inadequate security controls to achieve their objective.
CISA will base this guidance on its visibility into federal civilian executive branch systems, its partners’ visibility into critical infrastructure systems, insights from the research community, and incident reporting. Such reporting is voluntary today and supplemented by mandatory reporting under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in future years.
CISA’s goal is to increase the percentage of recommendations in its guidance and directives directly based on specific data showing how adversaries successfully execute intrusions and the most effective mitigations to stop attacks.
In addition to mentoring security activities, CISA will provide accurate, actionable, and achievable guidance to help organizations prioritize investment in controls and mitigations that address how attacks actually occur and how adversaries are evolving. For federal civilian executive branch agencies, we will fully exercise our directive authorities to drive toward a common security baseline and execute agency improvement plans to address tailored gaps.
The third leg of this goal has CISA providing cybersecurity capabilities and services that fill gaps and help measure progress for federal agencies and for highly targeted but resource-poor organizations, where limited resources and sustained adversary interest provide a compelling justification for government assistance to the degree our authorities allow.
The final goal focuses on ensuring products are safe from cyberattacks before being released to the public and private sectors. CISA will concentrate on defining exactly what it means for a technology product to be safe and secure, collaboratively developing guidance and technical criteria to help customers choose safe products and manufacturers to deliver accordingly.
Recognizing that technology manufacturers will need to prioritize areas for improvement, we will take a data-driven approach to identify those practices that drive down the most risk and address entire classes of attacks, such as using memory-safe coding languages.
Some of the yardsticks used to measure success here are:
“Through the implementation of this strategy, we will first focus our efforts and energy to ensure our core cybersecurity functions are executed to the greatest effect. We must get the fundamentals right,” CISA concluded. “We will optimize our cyber defense operations to identify, prevent, and address acute threats and vulnerabilities, and mitigate incidents more quickly. We will provide innovative shared services to directly address risks as well as actionable and practical guidance that helps defenders prioritize investments to address the most likely and impactful threats.”