← Back to all briefings
Cybersecurity 6 min read Published Updated Credibility 89/100

CISA Unveils 2024–2026 Cybersecurity Strategic Plan — August 3, 2023

CISA’s 2024–2026 strategic plan requires executive governance to steer joint cyber defense planning, phased setup across the three mission goals, and privacy-aware evidence collection to satisfy DSARs tied to threat reporting.

Kodi C.

Editor & Research Lead

Editorially reviewed for factual accuracy

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

The Cybersecurity and Infrastructure Security Agency (CISA) released its 2024–2026 Cybersecurity Strategic Plan on , setting out how the U.S. government intends to partner with critical infrastructure operators to reduce systemic risk. The plan organizes CISA’s mission around three goals—address immediate threats, harden the terrain, and drive security by design—supported by nine strategic objectives. Boards and executive teams at critical infrastructure teams must translate the plan into internal governance mandates, because CISA expects joint planning, operational collaboration, and transparent reporting from private-sector owners. Implementing the plan’s programs involves sharing operational technology (OT), IT, and identity telemetry that can include personal data, so privacy teams must align information-sharing agreements with DSAR obligations under state and sectoral laws.

Goal 1, “Address Immediate Threats,” commits CISA to accelerating whole-of-nation operational collaboration. Objectives include rapidly identifying and disrupting adversaries, enabling more victims to report incidents, and improving response coordination through the Joint Cyber Defense Collaborative (JCDC).

Teams should establish governance structures that connect their security operations centers, legal counsel, communications teams, and senior leadership to the JCDC engagement model. Participation requires clearly documented authorities for sharing incident artifacts, indicators of compromise, and lessons learned with federal partners while safeguarding personally identifiable information (PII). Privacy officers should vet playbooks to ensure any shared data aligns with statutory sharing permissions, minimizes personal data, and tracks which records must be retrievable to answer DSARs from employees, customers, or partners whose information may be included in incident submissions.

Goal 2, “Harden the Terrain,” focuses on raising baseline security for the most targeted sectors and scaling good practices across small and medium-sized entities. CISA plans to deliver sector risk management agency (SRMA) playbooks, secure-by-design technical guidance, and tools to help resource-constrained operators implement frameworks such as NIST CSF and the cross-sector Cyber Performance Goals. Boards should oversee adoption of these resources, making sure management aligns them with existing enterprise risk management programs, internal audit cycles, and business continuity plans.

Implementation teams can sequence activities by mapping CISA’s cross-sector goals to current maturity assessments, using risk registers to prioritize patches, segmentation, identity security, and logging investments. Because many of these efforts involve collecting detailed employee access records and customer interaction logs, DSAR handling must be embedded in the control design. Teams should catalog what personal data is stored in centralized logging platforms, define retention periods, and ensure DSAR processes can retrieve or redact entries without undermining evidentiary integrity.

Goal 3, “Drive Security by Design,” aims to shift the technology ecosystem so secure products are the default. CISA pledges to push technology manufacturers toward outcome-based security metrics, vulnerability reduction, and rapid updates, while helping consumers to demand safer products. Enterprises consuming commercial technology must interpret this goal as a prompt to reassess procurement governance.

Vendor management programs should incorporate CISA’s secure-by-design and secure-by-default principles into requests for proposals, contract clauses, and supplier performance reviews. Implementation teams should adopt software bill of materials (SBOM) collection, vulnerability disclosure timelines, and secure configuration baselines. Privacy leaders need to ensure procurement artifacts record how suppliers process personal data and what contractual pathways exist to satisfy DSARs routed to third-party systems, particularly when threat intelligence submissions reference vendor-managed logs.

The plan also highlights cross-cutting enablers: strengthening CISA’s workforce, enhancing data and technology capabilities, and expanding partnerships. Teams should mirror these enablers by investing in governance bodies that unify cybersecurity, privacy, and compliance talent. Establishing executive-level cybersecurity councils that meet at least quarterly creates accountability for implementing CISA-aligned programs. Councils should review risk metrics, incident trends, DSAR volumes tied to security events, and progress on CISA-aligned milestones. Documenting these reviews supports regulatory inquiries and shows that leadership is engaging with federal guidance.

Implementing CISA’s plan requires a phased roadmap. Phase 1 might focus on joining or deepening engagement with the JCDC, registering for CISA’s vulnerability scanning services, and mapping the organization’s adoption status for the Cyber Performance Goals.

Phase 2 can address procurement reforms, secure software development life-cycle improvements, and deployment of logging architectures consistent with CISA’s binding operational directives for federal agencies. Phase 3 should institutionalise metrics reporting, including mean time to detect, patching cadences, phishing resilience, and DSAR response times for security-related requests. Each phase should include change management components—training, awareness, tabletop exercises, and communications—that explain to teams why sharing information with CISA supports collective defense while still respecting privacy rights.

Privacy compliance is integral. Incident submissions, vulnerability reports, and threat intelligence feeds often include personal identifiers, such as employee email addresses, IP addresses, or customer account numbers.

Teams should maintain data-sharing inventories that flag which CISA channels receive personal data, what minimization steps are applied, and how DSAR teams can retrieve submitted records if individuals ask what information was shared with the government. Legal teams should review relevant authorities, including the Cybersecurity Information Sharing Act (CISA) of 2015, sector-specific confidentiality protections, and contractual notice obligations. They must also align security incident reporting timelines under federal and state regimes with DSAR statutory deadlines to prevent conflicting obligations.

CISA’s plan stresses measurement and accountability. The agency will publish setup reports detailing progress against objectives, and it expects partners to adopt metrics that show risk reduction.

Boards should require periodic updates on how organizational metrics align with CISA’s benchmarks, including counts of incidents reported to CISA, participation in exercises, remediation of vulnerabilities highlighted through CISA services, and improvements in supply-chain security. Including DSAR metrics—such as average completion time for security-related requests or the number of DSARs linked to shared threat data—helps illustrate the organization’s commitment to privacy even as it increases information sharing.

Finally, the plan highlights the importance of cross-sector resilience. CISA intends to convene industry, state, local, tribal, and territorial partners to rehearse coordinated response.

Teams should establish mutual aid agreements, sector-specific information sharing and analysis center (ISAC) memberships, and memoranda of understanding that specify governance roles, evidence handling, and privacy obligations. Tabletop exercises should simulate DSAR influx following a major incident alongside simultaneous regulatory reporting, ensuring communications, legal, and customer-facing teams can provide consistent answers. By aligning governance structures, setup sequencing, and privacy controls with CISA’s 2024–2026 strategy, teams strengthen both their defensive posture and their capacity to honor individual data rights even during high-pressure cyber crises.

Adoption timeline

If you are affected, develop setup roadmaps that account for resource constraints, dependencies, and risk priorities. Phased approaches typically provide better outcomes than attempting full changes simultaneously. Early wins build momentum and show value to teams.

Progress monitoring should track setup activities against planned timelines and identify potential issues requiring intervention. Regular reporting keeps teams informed and maintains organizational focus on setup priorities.

Working with stakeholders

Effective stakeholder engagement ensures alignment on objectives, expectations, and setup approaches. Communication should be tailored to different audiences, providing appropriate levels of detail for technical and executive teams.

Change management processes should address organizational readiness and potential resistance to new requirements or practices. Training and support resources help ensure successful adoption of required changes.

Long-term improvement

Continuous improvement processes should incorporate lessons learned and feedback from setup experiences. Regular reviews help identify improvement opportunities and ensure approaches remain aligned with evolving requirements.

Documentation of setup activities and outcomes provides evidence of due diligence and supports ongoing maintenance. Knowledge capture ensures institutional learning is preserved for future reference.

You may also find useful

Hand-picked articles on adjacent topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
89/100 — high confidence
Topics
United States · CISA · Strategy · Critical infrastructure
Sources cited
3 sources (cisa.gov, iso.org)
Reading time
6 min

Documentation

  1. CISA Releases 2024–2026 Strategic Plan
  2. CISA Cybersecurity Strategic Plan 2024–2026
  3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
  • United States
  • CISA
  • Strategy
  • Critical infrastructure
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.