I mean, if you think of the federal government as a gigantic conglomerate enterprise network, and then read the "Measures of Effectiveness" in this plan as the current action items for the security practice in that enterprise, it's a pretty sane list, more forward thinking than e.g. most bank security teams.
It's a conglomerate that operates in every field of endeavor imaginable. One 'division' may be the world's largest 'conglomerate' itself: It employs over 1M people, has endless internal divisions, has global 24/7 operations, and an ~ $800B budget. With that budget, I would guess that their assets are worth more than Apple's market cap.
There's not a single CIO who can dicate 'we're blocking Facebook - get to work people!'.
I understand where you're coming from but "more forward thinking than a bank" should not be the aspiration for the organization primarily responsible for cybersecurity of the United States gov. This is not a good look for CISA.
You're going to have to be more specific than "this is not a good look". It looks pretty reasonable to me, given CISA's remit. Which part do you have a problem with, the limited role CISA has to motivate and guide security adoption inside government agencies, or the specific recommendations and metrics they're managing?
This "strategic plan" is devoid of any meaningful, measurable metric. The language throughout this document is carefully crafted to appear measurable at the surface, but meticulously written to be able to accomplish one thing after X number of years: stand infront of a podium and declare that the metric has been achieved.
Example: "Help organizations safely use AI to
advance cybersecurity."
How do you measure this? What does this even mean? What does success look like if this is achieved?
I extracted all the metrics from the document and put them in a comment downthread. They look pretty reasonable to me. I'm sure every security team in America has some dumb metric about AI somewhere, but AI stuff is like 5% of the whole plan.
I think you're missing the point of my comment - the point is not that there is a meaningless metric about AI, the point is that it is -not a measurable metric- by any stretch of the imagination.
