CISA's 2025-2026 International Strategic Plan is the agency's first, and outlines a groundbreaking agenda for cooperation with international partners.
On October 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released their 2025-2026 International Strategic Plan. This is the first time the agency has created a plan specifically for how it will interact with the U.S.’s international partners. The agenda is meant to complement CISA’s 2023-2025 strategic plan along with their National Security Memorandum on Critical Infrastructure Security and Resilience.
The main goal for the strategy is “to shape the international environment to reduce risk to critical dependencies and set conditions for success in cooperation, competition, and conflict.” The international cyber landscape is highly interdependent and interconnected, so one of the best ways to limit the risk of serious cyberattacks that can incapacitate the nation’s critical infrastructure is by working together to limit all risk across the board. CISA aims to do this with three steps: bolster the resilience of foreign infrastructure on which the U.S. depends, strengthen integrated cyber defense, and unify agency coordination of international activities. Each goal comes with a set of objectives, enabling measures, and measures of effectiveness to help with the rollout and evaluation of the plan.
To achieve the first goal, CISA will work with international partners to identify what the most important assets are and their vulnerabilities. This will require a global shared understanding about the biggest threats to critical infrastructure ranging from cyber attacks to supply chain interdependencies, to even climate change. The other two objectives for this step are to reinforce global partnerships that advance America’s critical infrastructure priorities, and to develop the international guidelines and best practices to promote security. For each of these objectives, CISA will need to set up channels for timely, manageable communication - sharing information about threats, strengthening partnerships, and setting cybersecurity standards all need collaboration.
CISA has three objectives to meet their second goal of strengthening integrated cyber defense. First, the agency plans to reduce collective risk by developing cyber defense with its partners through their Computer Security Incident Response Team (CSIRT)-CSIRT engagements, which may improve information-sharing and build situational awareness. Next, the agency will encourage other cyber agencies “to define, adopt, and implement global cybersecurity standards, and best practices that promote U.S. cybersecurity interests”, including secure AI systems, and Secure by Design standards. The last objective is maybe the most obvious means of achieving the second goal - CISA plans to build up the cyber and physical resilience abilities of the U.S.’s key partners through training, exercises, and sharing information.
To accomplish the “unity of effort” necessary to coordinate international activities, CISA will sort out its internal workflows. The agency’s Stakeholder Engagement Division (SED) will provide the governance system that gives advice on international issues and can set priorities. The SED will also be instrumental to harmonizing CISA’s international functions and materials as they will coordinate policy and dissemination of international information across the agency. The last objective is to train and educate CISA employees who will be involved in international activities, and even give culturally-sensitive instruction for appropriate locations.
In the press release, Director of CISA Jen Easterly said that through this plan, “CISA will improve coordination with our partners and strengthen international relationships to reduce risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day.” The main themes of the plan are collaboration, communication, and organization - which are in fact apt for working with international cybersecurity agencies all around the world. Still, there is a lot of work to be done. The conclusion explains that the plan “creates opportunities for shared success and is a process, not simply a publication; therefore, CISA will review progress quarterly.” CISA does not typically share their plans to review a strategy - so it appears that this is a priority, and that we can look forward to more updates in the next year as they track progress.