Transcription
FEB 2021CYBERSECURITY & INFRASTRUCTURE SECURITY ISA Strategic IntentiCISA Strategic Intent
Chief Technology OfficerCISA Colleagues and Partners,CISA continues to build on the opportunities to stand up a straightforward, repeatable, and transparent technologyinvestment strategy. Our annual Strategic Technology Roadmap (STR) provides evidence-based recommendationsto help you enable and influence future capabilities. I’m hopeful this Overview publication is useful and shows youwhere we are headed with STR Version 3 (STRv3). Over the next few pages, we’ll discuss technology capabilities indevelopment, desired future capabilities, and provide a forecast of the technologies CISA will look to invest in beyond2025. The STR focuses exclusively on future technology capabilities to address persistent risks imposed by availabletechnologies and future risks discovered from meta-analyses of hundreds of authoritative artifacts, and it is scoped forthat purpose.CISA’s mission is to lead the national effort in understanding and managing cyber and physical risk. Guiding CISAtechnology investment towards the right mix of technology capabilities to best serve this mission is an evolvingchallenge. The STR serves as an annual touchstone for this challenge by identifying the technologies receiving currentinvestments and revealing the opportunity areas for future growth.On an annual basis, the STR examines how CISA defends today and secures tomorrow. To understand how we defendtoday, the STR:1Provides well-researched, evidence-based input to critical decision points that affect future CISAtechnology capabilities;2Identifies capability demands based on rigorous assessment criteria and provides recommendationsregarding further use and development of technologies to meet the demands;3Applies methods to analyze selected, significant emerging standards to estimate potential risks;4Describes where capability demands identified in the previous STR are carried forward, whereapplicable, into this version;5Forecasts relevant capabilities based on formal research and development (R&D) pipelines; and6Speculates over the horizon technologies that could address specific cyber challenges.CISA Strategic Technology Roadmap Overviewi
STRv3 reveals to CISA and our partners the technology demand areas where increased investment through2025 would have the greatest net effect. It does this by comparing current and near-term CISA technologyinvestment with meta-analyses of research produced by CISA and our government and industry partners.STRv3 incorporates improved research and analysis methods to provide more accurate linkages and supportiverationale, from findings to recommendations, to form a guide for CISA technology investments.STRv3 identifies 20 demand areas, organized into three technology domains – Cybersecurity, Communications,and Critical Enablers. We identify actionable recommendations for each demand area.Looking to the future—the “securing tomorrow” element of our mission—we wrap up STRv3 with our projectionsof the capabilities CISA may have equities in developing beyond the 2025 horizon. Though some of thesecapabilities may currently exist in limited or isolated instances, they have the potential for wide adoption. CISAneeds to be ready to embrace their development and capture their value as the technology reaches maturity.We welcome collaboration efforts from our colleagues and partners on these exciting future possibilities.Brian GattoniCISA Chief Technology OfficerCISA Strategic Technology Roadmap Overviewii
TABLE OF CONTENTSMESSAGE FROM THE CHIEF TECHNOLOGY OFFICERiINTRODUCTION1TIMELINE AND FEEDBACK LOOP2CAPABILITY DEMANDS3CAPABILITY FORECASTS4TECHNOLOGY STANDARDS6TECHNOLOGY SPECULATION8CONCLUSION9CISA Strategic Technology Roadmap Overviewiii
INTRODUCTIONThis overview summarizes the purpose and conclusion of the larger, more detailed CISA STRpublication—a publication that is critical to informing senior leaders and harmonizing the CISAtechnology investment within the 2021 to 2025 timeframe. This document does not describe anyparticular CISA project and should not be seen as any kind of request for proposals or applications.The STR—created in alignment with key CISA strategic planning documents—guides CISAtechnology investment towards achieving the agency’s tailored capability goals of aligning andintegrating our technology; maximizing our effect on cyber and critical infrastructure risks; andproviding emergency communications. This overview provides high-level summaries of the STR’sfour sections:CAPABILITY DEMANDSIdentifies capability demands based on artifactssuch as security and vulnerability assessments.CISA identified these capability demands viaanalysis of hundreds of authoritative artifactsproduced by CISA; federal, state, local, tribal,and territorial (FSLTT) partners; academia; andprivate industry. It categorizes the capabilitydemands into 20 demand areas, organizedinto three technology domains, with actionablerecommendations. The actions are standardizedso that analysis will have consistent meaningin future STR reports. The standardized termsused across all capability demands are: ADOPT,DEMO (Demonstrate), INVEST, WATCH, DEFER,and DECIDE (decision to continue or stop).CAPABILITY FORECASTSAligns the capability demands to activeR&D projects. For STRv3, CISA identified 23relevant projects from DHS S&T, CISA NRMC,and DARPA based on specific criteria. Theseprojects intersect with all but 5 of the 20capability demand areas. These five gapsbetween capability demands and R&D projectsrepresent opportunities to address risksthrough engagements and consultations, and toadvance the state of the art through R&D.CISA Strategic Technology Roadmap OverviewTECHNOLOGY STANDARDSAnalyzes technology standards of significantinterest addressing cybersecurity, criticalinfrastructure, and emergency communications.Based on criteria, the STRv3 identified standardsrequiring heightened situational awarenessand participation to mitigate risk potential. As anew focus area for STR, we expect the analysismethod to greatly improve and the findings toincrease in value and outcome.TECHNOLOGY SPECULATIONLooks beyond the 5-year planning cycle at new andemerging technologies, technologies with potentialfor capturing significant market share or creatingnew markets, and technologies that presentexceptional risks. In STRv3, this section focuseson two broad technology areas, each composedof many independently evolving technologies:Cross-Platform Information Exchange Managementusing blockchain technology; and Detecting andCountering Deepfake Technology.1
TIMELINEANDINVESTMENTLOOPThe STR follows an annual publication cycle withdelivery planned for early December each yearand kick-off for the next version while the currentversion is in review. Throughout the year, the CISAChief Technology Officer (CTO) team builds the STRby analyzing and integrating hundreds of artifactssuch as CISA security and vulnerability assessmentsand gaps/requirements for portfolios of currentCISA acquisition programs. The team also seeksto discover new, peer-reviewed studies that help toimprove STR methods, analysis and findings, andrecommendations. annual operating plans (AOPs) of each CISAdivision; and proposals for R&D submissions and lab projectsThe output from strategic planning documents— aswell as budget allocation from the PPBE process—feedinto program plans, which provide input into futurereleases of the STR. This multi-faceted planningcycle increases the effectiveness of the technologyinvestments necessary to fulfill the CISA mission.To maximize STR utility, it aligns with CISA’s planning,programming, and budgeting execution (PPBE) cycle,providing input to CISA strategic planning activitiessuch as: program decision options (PDOs); the resource allocation plan (RAP), which detailsCISA’s program funding;CISA Strategic Technology Roadmap Overview2
CAPABILITYDEMANDSThrough analyzing hundreds of artifacts — from CISA, FSLTT, partners,and private industry—as well as ongoing research, CISA identified newcapability demands since publishing STRv2 and verified capabilitydemands to move forward from STRv2. Importantly, these combinedcapability demands are opportunities to build upon planned capabilitydeployments and enhancements (CD&Es) with new technologies and toenhance the existing CISA Mission Environment (CME).STRv3 categorizes the capability demands into 20 demand areas,organized into three technology domains derived from similarities amongthe capability demand areas. The 20 demand areas, organized intothree technology domains: Cybersecurity, Communications, and CriticalEnablers.DEMAND SCORESDOMAINCYBERSECURITY Deception TechnologiesICS PatchingML and Large-Scale AnalyticsML and SOARNetwork Systems SecurityNon-IP Based SCADA/ICS Protocol MonitoringSoftware Assurance and VulnerabilityManagement Vehicle Security Zero Trust Architecture (ZTA)COMMUNICATIONS Cellular SecurityComputer-Aided Dispatch InteroperabilityLMR to Cellular InteroperabilityMission Critical Voice on Cellular NetworkNext Generation Network Priority ServicesCRITICAL ENABLERS Authoritative Time SourceDigital TwinDistributed Enterprise Data ManagementEMP and GMD Disturbance MitigationsRisk Architecture and Advanced AnalyticsSingle, Cross-Program Release and ChangeManagement ToolCISA Strategic Technology Roadmap Overview 2 YRS2-3 YRSDeception TechnologiesADOPTICS PatchingINVESTDECIDEML and Large-ScaleAnalytics3-4 YRS4-5 YRS 5 YRS4-5 YRS 5 YRS 5 YRSINVESTDECIDEML and SOARDEMODECIDENetwork Systems SecurityDEMODECIDENon-IP Based SCADA/ICSProtocol MonitoringINVEST/DEMODECIDESoftware Assurance andVulnerability ManagementDEMODECIDEVehicle SecurityINVESTDECIDEZero-Trust Architecture (ZTA)INVESTDECIDE 2 YRS2-3 YRS3-4 YRSCellular SecurityINVESTDEMODECIDEComputer-AidedDispatch InteroperabilityINVESTDEMODECIDELMR to CellularInteroperabilityINVESTDECIDEMission Critical Voiceon Cellular NetworkINVESTDECIDENext Generation NetworkPriority ServicesINVESTDEMODECIDE 2 YRS2-3 YRS3-4 YRS4-5 YRSAuthoritative Time SourceWATCHWATCHDEMODECIDEDigital TwinINVESTDEMODECIDEDistributed EnterpriseData ManagementDEMODECIDEEMP and GMDDisturbance MitigationsADOPTRisk Architecture andAdvanced AnalyticsADOPTSingle, Cross-Program Releaseand Change Management ToolADOPT3
CAPABILITYFORECASTSCommercial industry offers a wide range of products toaddress capability demands; however, there are conditionswhere product evolution may stop or slow (e.g., encountersa development plateau), or may not be commerciallyviable (e.g., a low demand/high development cost). Wherecommercial industry has no known or available solutiondue to these conditions, the STR defines linkages betweencapability demands and active R&D projects. CISA ispartnered with DHS S&T for R&D projects to continuouslytrack, forecast, and adjust its understanding of futurecapability demands and discover disruptive technologiesthat advance the state of the art and counter current,emerging, and potential adversary capabilities and otherthreats to the critical infrastructure.Mitigation actions to address these gaps include thedefinition of new requirements for R&D projects anda review of existing engagements and consultations,particularly where a demand is outside of CISA’s directinfluence or control.STR identifies 12 DHS S&T R&D projects, 10 DARPA R&Dprojects, and 1 CISA NRMC project that support the 15 ofthe 20 capability demand areas.Implementing the JCE will necessitate coordinateddevelopment and implementation of new and existingcapabilities across CISA. Data management andanalytics are important technology underpinnings for theJCE upon which expected JCE outputs depend.It should be noted that Single, Cross-Program ChangeManagement Tool is a commodity technology, so it wouldnot be expected to have associated R&D projects—theexception to this understanding may be the increasinglycomplex nature of the .gov infrastructure as it migrateson and off premise into physical, virtual, and code-onlyinstances of devices.The Joint Collaborative Environment (JCE), asrecommended by the Cyberspace Solarium Commission,is a recent priority within CISA to address operationalconcerns. Many of the identified capability demand areassupport implementing this new operational capability(e.g., Distributed Enterprise Data Management, ML– Large Scale Analytics, ML- SOAR, and Single, CrossProgram Release and Change Management Tool).The ZTA concept is sufficiently mature for demonstrations,so it would also not be expected to have associated R&Dprojects. These gaps between capability demands andactive R&D projects represent opportunities to furtherexplore the state of the art and expected value in initiatingnew R&D projects.CISA Strategic Technology Roadmap Overview4
PROJECTS MAPPEDTO CAPABILITY DEMANDAREASCISA Strategic Technology Roadmap OverviewThe following alignment of Capability Forecaststo the Capability Demand Areas illustratesopportunities for future R&D investments.5
TECHNOLOGYSTANDARDSNew in STRv3 is a method and analysis of technology standardswith risk potential within the scope of the CISA mission. STRexpands the view into future technologies by analyzing proposedtechnology standards that could be disruptive to cybersecurity,critical infrastructure, or emergency communications. CISAparticipation is encouraged with other government agencies tohelp monitor and influence emerging technology standards, andto maintain situational awareness and mitigate potential risks.The table below provides qualitative assessments of varioustechnology standards subjects against risk criteria derived fromCISA’s strategic priorities. Standards with multiple high ratingsmerit additional analysis to understand and mitigate potentialrisks.STANDARDS SUBJECT AREASRISK CRITERIA5GNew IGHPotential to reduce U.S.
CISA Strategic Technology Roadmap Overview. ii. STRv3 reveals to CISA and our partners the technology demand areas where increased investment through . 2025 would have the greatest net effect. It does this by comparing current and near-term CISA technology . investment with meta-analyses of research produced by CISA and our government and industry partners.
