CISA Unveils 2024–2026 Cybersecurity Strategic Plan — August 3, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) released its 2024–2026 Cybersecurity Strategic Plan on 3 August 2023, setting out how the U.S. government intends to partner with critical infrastructure operators to reduce systemic risk. The plan organises CISA’s mission around three goals—address immediate threats, harden the terrain, and drive security by design—supported by nine strategic objectives. Boards and executive teams at critical infrastructure organisations must translate the plan into internal governance mandates, because CISA expects joint planning, operational collaboration, and transparent reporting from private-sector owners. Implementing the plan’s programmes involves sharing operational technology (OT), IT, and identity telemetry that can include personal data, so privacy teams must align information-sharing agreements with DSAR obligations under state and sectoral laws.

Goal 1, “Address Immediate Threats,” commits CISA to accelerating whole-of-nation operational collaboration. Objectives include rapidly identifying and disrupting adversaries, enabling more victims to report incidents, and improving response coordination through the Joint Cyber Defense Collaborative (JCDC). Organisations should establish governance structures that connect their security operations centres, legal counsel, communications teams, and senior leadership to the JCDC engagement model. Participation requires clearly documented authorities for sharing incident artefacts, indicators of compromise, and lessons learned with federal partners while safeguarding personally identifiable information (PII). Privacy officers should vet playbooks to ensure any shared data aligns with statutory sharing permissions, minimises personal data, and tracks which records must be retrievable to answer DSARs from employees, customers, or partners whose information may be included in incident submissions.

Goal 2, “Harden the Terrain,” focuses on raising baseline security for the most targeted sectors and scaling best practices across small and medium-sized entities. CISA plans to deliver sector risk management agency (SRMA) playbooks, secure-by-design technical guidance, and tools to help resource-constrained operators implement frameworks such as NIST CSF and the cross-sector Cyber Performance Goals. Boards should oversee adoption of these resources, making sure management aligns them with existing enterprise risk management programmes, internal audit cycles, and business continuity plans. Implementation teams can sequence activities by mapping CISA’s cross-sector goals to current maturity assessments, using risk registers to prioritise patches, segmentation, identity security, and logging investments. Because many of these efforts involve collecting detailed employee access records and customer interaction logs, DSAR handling must be embedded in the control design. Organisations should catalogue what personal data is stored in centralized logging platforms, define retention periods, and ensure DSAR processes can retrieve or redact entries without undermining evidentiary integrity.

Goal 3, “Drive Security by Design,” aims to shift the technology ecosystem so secure products are the default. CISA pledges to push technology manufacturers toward outcome-based security metrics, vulnerability reduction, and rapid updates, while empowering consumers to demand safer products. Enterprises consuming commercial technology must interpret this goal as a prompt to reassess procurement governance. Vendor management programmes should incorporate CISA’s secure-by-design and secure-by-default principles into requests for proposals, contract clauses, and supplier performance reviews. Implementation teams should adopt software bill of materials (SBOM) collection, vulnerability disclosure timelines, and secure configuration baselines. Privacy leaders need to ensure procurement artefacts record how suppliers process personal data and what contractual pathways exist to satisfy DSARs routed to third-party systems, particularly when threat intelligence submissions reference vendor-managed logs.

The plan also highlights cross-cutting enablers: strengthening CISA’s workforce, enhancing data and technology capabilities, and expanding partnerships. Organisations should mirror these enablers by investing in governance bodies that unify cybersecurity, privacy, and compliance talent. Establishing executive-level cybersecurity councils that meet at least quarterly creates accountability for implementing CISA-aligned programmes. Councils should review risk metrics, incident trends, DSAR volumes tied to security events, and progress on CISA-aligned milestones. Documenting these reviews supports regulatory inquiries and demonstrates that leadership is engaging with federal guidance.

Implementing CISA’s plan requires a phased roadmap. Phase 1 might focus on joining or deepening engagement with the JCDC, registering for CISA’s vulnerability scanning services, and mapping the organisation’s adoption status for the Cyber Performance Goals. Phase 2 can address procurement reforms, secure software development life-cycle enhancements, and deployment of logging architectures consistent with CISA’s binding operational directives for federal agencies. Phase 3 should institutionalise metrics reporting, including mean time to detect, patching cadences, phishing resilience, and DSAR response times for security-related requests. Each phase should include change management components—training, awareness, tabletop exercises, and communications—that explain to stakeholders why sharing information with CISA supports collective defense while still respecting privacy rights.

Privacy compliance is integral. Incident submissions, vulnerability reports, and threat intelligence feeds often include personal identifiers, such as employee email addresses, IP addresses, or customer account numbers. Organisations should maintain data-sharing inventories that flag which CISA channels receive personal data, what minimisation steps are applied, and how DSAR teams can retrieve submitted records if individuals ask what information was shared with the government. Legal teams should review relevant authorities, including the Cybersecurity Information Sharing Act (CISA) of 2015, sector-specific confidentiality protections, and contractual notice obligations. They must also align security incident reporting timelines under federal and state regimes with DSAR statutory deadlines to prevent conflicting obligations.

CISA’s plan stresses measurement and accountability. The agency will publish implementation reports detailing progress against objectives, and it expects partners to adopt metrics that demonstrate risk reduction. Boards should require periodic updates on how organisational metrics align with CISA’s benchmarks, including counts of incidents reported to CISA, participation in exercises, remediation of vulnerabilities highlighted through CISA services, and improvements in supply-chain security. Including DSAR metrics—such as average completion time for security-related requests or the number of DSARs linked to shared threat data—helps illustrate the organisation’s commitment to privacy even as it increases information sharing.

Finally, the plan underscores the importance of cross-sector resilience. CISA intends to convene industry, state, local, tribal, and territorial partners to rehearse coordinated response. Organisations should establish mutual aid agreements, sector-specific information sharing and analysis centre (ISAC) memberships, and memoranda of understanding that specify governance roles, evidence handling, and privacy obligations. Tabletop exercises should simulate DSAR influx following a major incident alongside simultaneous regulatory reporting, ensuring communications, legal, and customer-facing teams can provide consistent answers. By aligning governance structures, implementation sequencing, and privacy controls with CISA’s 2024–2026 strategy, organisations strengthen both their defensive posture and their capacity to honour individual data rights even during high-pressure cyber crises.