CISA delivers the eagerly anticipated national cyber resiliency plan.



The 2023–2025 Strategic Plan was published by the federal Cybersecurity and Infrastructure Security Agency (CISA) in September in response to the growing susceptibility of the American infrastructure to cyberattacks.


Main Points


A framework for identifying and overseeing the federal government’s involvement in reducing cyber threats to national security is proposed in the proposal.


A cross-agency and “whole-of-nation” approach to risk management and resilience is what CISA seeks to promote.


Cyber insurance markets may be impacted by implementation and results.



To gather input on moving forward with regulations, two federal engagement requests have been made.


A new mindset is necessary for cyber resilience in the present digital ecosystem.


The CISA plan comes at a time when the threat landscape is rapidly changing, and the focus of cybersecurity is appropriately shifting from asking “Are we vulnerable to attack?” to asking “How can we notice a breach, restrict the damage, and recover as quickly as possible?”



There has been a surge in the frequency of breaches for businesses in all industries.

Hackers are extending the reach of ransomware to third or fourth parties, like supply-chain partners, by employing clever strategies.

The number of enterprises estimated to have been attacked in the past year ranges from 60% to 86 %, most likely because latent ransomware can go unnoticed for some time and many firms are reluctant to advertise or report attacks.


The military, hospitals, financial institutions, and supply chain providers are a few examples of organizations involved in essential infrastructure that can be attractive targets for bad actors.

According to the FBI’s 2021 Internet Crime Report, ransomware attacks affected at least one company in 14 out of 16 critical infrastructure sectors that year.

Data shows a rise in cyberattacks on US ports and terminals.


We live in a time when every government, every organization, and every individual must focus on the threat of ransomware and take action to limit the risk of being a victim, CISA Director Jen Easterly stated earlier this year in response to the escalating threats.


The “whole of nation” strategy, the organization’s first plan since its founding in 2018, presents a framework for the unity of effort and draws on the CISA Strategic Intent from August 2019 to build the groundwork for the future work of the organization and incorporate four main goals:


Cyber defense against threats to National Critical Functions, risk mitigation and resilience, operational cooperation using a “whole-of-nation” strategy, and agency unification


Loss ratios for cyber insurance are declining, yet difficulties continue to grow.


Despite the rising demand for cyber risk insurance, cost-effectiveness is still elusive.

According to data from S&P Global, loss ratios declined from 75% in 2020 to 65% in 2021 following three years of continuous growth.

The number and severity of cyberattacks are on the rise, along with the costs and liabilities connected with breaches. Additionally, there is a dearth of historical incident data needed to evaluate and price risk.

Some insurers choose not to offer coverage to these businesses due to the additional risks that liability coverage for key infrastructure sectors brings to risk mitigation.


CISA aims to establish a legislative framework for the data gathering mandate of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 in order to lay the groundwork for risk assessment (CIRCA).

The law requires ransomware payments and the reporting of significant cybersecurity events (within 72 hours) (within 24 hours of payment).

However, not all businesses in a key sector will automatically be compelled to file reports, and it doesn’t currently appear that there is a clear enforcement system in place for those that must abide by the rules.