I don't think CISA has anything close to the powers required to compel that level of top down action. This strategic plan has clearly been crafted to be at least somewhat attainable given their current remit and capabilities.
You'd be surprised. Any organization regulated by federal government entities, such as banks via the OCC, FDIC, etc are being required to "meet" CISA guidelines. ESPECIALLY those with federal/military contracts.
CISA has a lot more sway than you'd think in how businesses operate from a security point of view.
Being this broad allows for some more latitude by the businesses / sectors following these guidelines. But they certainly could've been more thorough in their approach without much push back.
As someone who is involved in compliance in these industries, I would be surprised to see CISA having anything close to the impact you described.
All I see are watered down checklists that can be verified by any human being who is semi-literate and may or may not have any relevance to security best practices. They probably were influenced on some level by CISA guidance if you're talking about .gov or commercial entities, but is nowhere near the level of impact you mentioned.
Do you have any examples of CISA guidelines having a meaningful impact on business operations?
I mean, if you think of the federal government as a gigantic conglomerate enterprise network, and then read the "Measures of Effectiveness" in this plan as the current action items for the security practice in that enterprise, it's a pretty sane list, more forward thinking than e.g. most bank security teams.
It's a conglomerate that operates in every field of endeavor imaginable. One 'division' may be the world's largest 'conglomerate' itself: It employs over 1M people, has endless internal divisions, has global 24/7 operations, and an ~ $800B budget. With that budget, I would guess that their assets are worth more than Apple's market cap.
There's not a single CIO who can dicate 'we're blocking Facebook - get to work people!'.
I understand where you're coming from but "more forward thinking than a bank" should not be the aspiration for the organization primarily responsible for cybersecurity of the United States gov. This is not a good look for CISA.
You're going to have to be more specific than "this is not a good look". It looks pretty reasonable to me, given CISA's remit. Which part do you have a problem with, the limited role CISA has to motivate and guide security adoption inside government agencies, or the specific recommendations and metrics they're managing?
This "strategic plan" is devoid of any meaningful, measurable metric. The language throughout this document is carefully crafted to appear measurable at the surface, but meticulously written to be able to accomplish one thing after X number of years: stand infront of a podium and declare that the metric has been achieved.
Example: "Help organizations safely use AI to
advance cybersecurity."
How do you measure this? What does this even mean? What does success look like if this is achieved?
I extracted all the metrics from the document and put them in a comment downthread. They look pretty reasonable to me. I'm sure every security team in America has some dumb metric about AI somewhere, but AI stuff is like 5% of the whole plan.
I think you're missing the point of my comment - the point is not that there is a meaningless metric about AI, the point is that it is -not a measurable metric- by any stretch of the imagination.
