Leaders at the Cybersecurity and Infrastructure Security Agency like to say security is so important they put it in their name twice.
Now that same rationale is the impetus behind CISA’s first-ever cybersecurity strategic plan for 2024 to 2026. Security is so important CISA needs its own strategic plan to position itself to better handle the ever-changing challenges cyber will inevitably bring.
“CISA is going to have to fundamentally adapt to a new model where we focus on shifting the burden of cybersecurity, to those who can bear it, where we focus on driving prioritized investment and the security measures that reduce the most risk,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity, in an exclusive interview with Federal News Network. “We focus on really deeply understanding threat activity and vulnerabilities in this country in a way that informs how we drive security for products and enterprises. All of that requires some fundamental shifts in the work we do, who prioritize our resources and how we work with our stakeholders. That’s something that we felt was appropriate to really codify in a strategic plan.”
The plan builds on CISA’s strategic plan released in September, which sketches out four major goals to spearhead national cyber defense efforts, reduce risks to and strengthen resilience of critical infrastructure, strengthen operational collaboration and information sharing, and unify as “One CISA.” It also aligns with the National Cybersecurity Strategy the White House released in March, which outlines five pillars and seeks to better balance of cyber risk by those who can afford it most.
Goldstein said his interagency team used the goals and objectives of both of these documents to drill down on the specific cyber priorities and outcomes CISA wants to achieve as they continue to grow and mature.
“What this Cybersecurity Strategic Plan does is really takes the direction from those two plans and says, ‘here’s how we’re going to execute our agency’s cybersecurity mission to achieve what we think really needs to be transformative change in the cybersecurity landscape over the next three years,’” he said. “The plan outlines a series of objectives and goals. In particular, three goals focused on addressing immediate threats, hardening the terrain and driving security at scale. Also, for the first time, we include real measures of effectiveness so that we can show not just that we are doing the work, but that our work is yielding actual security outcomes. We think that’s one of the real innovations in this plan that we’re really proud of.”
30 measures of effectiveness
The 30 measures of effectiveness includes metrics like how CISA has improved its time-to-detect cyber attacks, the time it takes to fix known exploited vulnerabilities and the adoption by federal civilian agencies and the private sector of tools and capabilities it provides.
For example, under goal two, hardening the terrain, CISA lays out a goal to provide capabilities and services that fills gaps in agency or private sector protections.
Goldstein said public and private sector organizations face an ever-growing threat landscape and many struggle to keep ahead of the attackers.
“CISA is really trying to fill two gaps in that area. The first is, where possible, we’re trying to provide affordable, effective commercial shared services that fill gaps for our partners in a scalable way, which is really one of our core focus areas across the federal civilian executive branch,” he said. “We also want to help organizations prioritize their resources so when they are spending that scarce security dollar, they are confident that it is on a measure that is driving down the most risk. That’s where our directives come into play. The goal of our binding operational directives and our emergency directives is really to guide investment toward the most important security activities.”
While the BODs and EODs are required for civilian agencies, Goldstein would like to see non-federal partners benefit from those warnings and CISA wants to measure that impact.
Improving data to measure impact
He said in some cases, CISA already is collecting the data such as driving mitigation of known exploited vulnerabilities across federal networks or how many agencies are implementing its directives.
But in other areas, specifically those related to some non-federal measure, are “measures of effectiveness really are aspirational and reflect the data driven, outcome-oriented agency that we have to be to effectively serve our stakeholders and the country,” he said. “One of our main efforts over the duration of this plan is going to be to make sure that we have the data and the ability to measure the breadth of measures of effectiveness, we can actually show those outcomes across the board.”
Goldstein readily acknowledged achieving the strategy’s goals will require partnering and collaborating across the government and the private sector as well as recognizing that CISA is a piece of the larger cyber community.
“We need to lead this work together,” he said. “We want a strategy that both our workforce and our stakeholders can see themselves in can be proud of and can really lean into executing, not just in the near term, but over the three year duration of the plan.”