In 2021, CISA and our partners across government and the private sector created a new kind of partnership organization — the Joint Cyber Defense Collaborative (JCDC). While our model is still evolving, we collectively demonstrated how persistent collaboration and frictionless engagement can yield benefits in addressing exigent risks like the Log4Shell vulnerability and potential cyber activity resulting from Russia’s full-scale invasion of Ukraine. However, collaborating around immediate risks is necessary but not sufficient. We must also look over the horizon to collaboratively plan against the most significant cyber risks that may manifest in the future. This proactive planning is foundational to JCDC, as first envisioned by the Cyberspace Solarium Commission and then codified by Congress.
To advance this critical aspect of our work, CISA and our partners are proud to announce JCDC’s 2023 Planning Agenda. This Agenda is the first of its kind — a forward-looking effort that will bring together government and the private sector to develop and execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. We will continue to expand the breadth and depth of our partnership to maximize both the completeness and impact of these planning efforts.
Through a rigorous process that included input from subject matter experts and our government and private sector partners, we have developed a Planning Agenda focused on three topic areas: systemic risk, collective cyber response, and high-risk communities.
While all organizations are at risk of cyber intrusions, we know that certain elements of the ecosystem can be abused by malicious actors to achieve widespread impacts. To reduce these types of risk at scale, we will convene key partners across the following efforts:
- Understand and mitigate risks potentially posed by open source software (OSS) used in industrial control systems
- Advance cybersecurity and reduce supply chain risk for small and medium critical infrastructure entities through collaboration with remote monitoring and management, managed service providers, and managed security service providers
- Deepen operational collaboration and integration with the Energy Sector, in partnership with the Department of Energy
- Identify approach to enhance security and resilience of edge devices for the water sector
- Over the past several years, government and the private sector have significantly advanced our processes and approaches for incident response, but our plans and doctrine have not kept up. JCDC will lead an effort to update the National Cyber Incident Response Plan, in close coordination with the Federal Bureau of Investigation and other partners, which will include articulating specific roles for non-federal entities in organizing and executing national incident response activities.
Malicious cyber actors do not only target critical infrastructure or businesses; to the contrary, we know that high-risk communities, such as civil society organizations that support journalists, and cybersecurity researchers are routinely targeted by adversaries seeking to undermine American values and interests. JCDC will lead collaborative planning efforts with key non-government organizations, government, and industry stakeholders to develop a cyber defense plan for civil society organizations who are at high risk of being targeted by foreign state actors.
