The strategy, released March 6, emphasizes deterring cybersecurity adversaries, streamlining cybersecurity regulation, modernizing federal networks and securing critical infrastructure and emerging technologies. It calls for using both defensive and offensive operations to “shape adversary behavior,” while also promoting regulatory reforms intended to reduce compliance burdens and accelerate innovation.
Among priorities are accelerating adoption of zero-trust architecture, cloud computing and post-quantum cryptography across federal systems, as well as strengthening protections for infrastructure sectors including energy systems, telecommunications networks, financial services, water utilities and hospitals. Focused at the federal level, the document reflects work that state and local governments are already doing, including in infrastructure security.
Pillar 4 focuses on securing critical infrastructure and supply chains, noting that state, local, tribal and territorial governments (SLTT) should play a role in those efforts, describing them as “a complement to — not a substitute for — our national cybersecurity efforts.”
Dan Lohrmann, Government Technology cybersecurity columnist, said critical infrastructure is something states have been dealing with for decades, with cybersecurity now counted among potential disaster scenarios.
“The fact is that cyber could be front and center because of an attack from a foreign adversary … the lights go out, whether that’s a fire, flood, tornado, hurricane or natural disaster,” he said. “There are individual and small utilities owned specifically by cities and counties themselves, but they have been working with groups like MS-ISAC and CISA to implement cybersecurity best practices within their sectors.”
For context, the Multi-State Information Sharing and Analysis Center (MS-ISAC) provided no-cost cybersecurity monitoring and support to state, local, tribal and territorial governments for more than two decades, but now operates under a membership model after Trump and Congress ended its federal funding. The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, works with government and industry partners to identify and reduce risks to critical infrastructure.
Still, the cyber strategy offers few specifics about how federal initiatives would translate into operational support for those governments, drawing criticism from some. In an analysis published by the Institute for Security and Technology, Michael Klein noted that the strategy devotes only a single line to SLTT governments despite their role in operating and securing critical services.
“The strategy provides no roadmap for how the federal government will actually fulfill that cyber defense role and seems to stand at odds with the administration’s actions to date,” he wrote in his analysis. “The State and Local Cybersecurity Grant Program, which provided critical funding for baseline protections, was not included in the president’s budget. The Multi-State Information Sharing and Analysis Center, which offered no-cost threat monitoring and services to all SLTT entities, has seen all federal funding removed.”
Another pillar that could affect state and local governments is Pillar 2, “Promote Common Sense Regulation,” which calls for streamlining cybersecurity requirements and reducing compliance burdens.
Lohrmann pointed out that there are dozens of requirements attached to sensitive government data, including standards tied to criminal justice systems, health data and tax information. Those frameworks often overlap, he said, creating multiple compliance and audit requirements for the same systems. State governments can face dozens of cybersecurity audits in a single year under different regulatory regimes, but streamlining regulations could benefit stakeholders by saving time, money and duplicative work.
Security certifications also would benefit from harmonization, he said, and GovRAMP and other organizations are seeking to do so. Alex Whitaker, director of government affairs for the National Association of State Chief Information Officers (NASCIO), said one element of the strategy that could benefit states is its call for streamlined cybersecurity regulation.
“NASCIO is encouraged that this administration is seeking to streamline cybersecurity regulations and is hopeful that this policy will translate into real, concrete steps that will require federal agencies to evaluate and reduce those cybersecurity compliance and reporting requirements that create both financial and administrative burdens for states,” Whitaker said Tuesday via email.
The strategy states that its six pillars will guide future policy and resource decisions through additional implementation efforts. For state and local governments responsible for operating many of the nation’s essential services, those details will determine how federal cybersecurity priorities intersect with theirs.
During a panel discussion Monday at the Billington Cybersecurity Summit, speakers largely focused on the new strategy. Nevada CIO Timothy Galluzi moderated.
“I am incredibly optimistic that the increased focus on collaboration and communication with state and local government was emphasized in the panel, knowing that SLTT partners are often how strategies like this get operationalized,” Galluzi said via email. “Key themes included a desire for better communication channels, workforce pipelines, better resource information from our federal partners.
“In government and cyber, we live on relationships and communications. That is step one. Having a federal team committed to opening up those channels, wanting to hear about the good, bad and ugly, gives me hope that we are moving in the right direction to improve our environments to better protect our residents.”
