On March 6, the White House released its “Cyber Strategy for America.” Its goal is to “communicate[] the Trump [a]dministration’s cyber vision” and to identify “six policy pillars, which will guide action and resourcing through the follow-on policy vehicles.” Obviously, the policy pillars are nonprescriptive and will generate numerous questions from agency and industry stakeholders. Nevertheless, they signal an anticipated direction for this administration and where future regulation (and opportunities) may arise. Below is a summary of the six pillars, followed by a couple of key takeaways for stakeholders as they wait for specific policies to be identified and implemented.

National Power – Not IT Governance – Is the Foundation for the Six Pillars

Questions of cyber regulation and compliance at the federal level often devolve into esoteric discussions of various frameworks and certification regimes. You hear conversations starting with, for example, “See, my program was certified under NIST 800-171 Rev. 3, but now we have to deal with Rev. 5, so I’m trying to understand the delta between my old controls and …” that would put the phrase “inside baseball” to shame. The Cyber Strategy for America looks to reshape – or perhaps refocus – these discussions.

Rather than seeing cyber strategy as an IT issue or a question of IT policy, the strategy conceptualizes it as an instrument of national power. It states:

  • “The cyber domain is key … to ensure America leads the world in finance, innovation and emerging technology, military power, and manufacturing.”
  • “This strategy … directly supports the National Security Strategy by putting America first in cyberspace.”
  • “This strategy communicates the Trump [a]dministration’s cyber vision and approach to the American people, to Congress, to our partners in industry and allies across the globe – and also to adversaries.”

Pillar 1: Shape Adversary Behavior

As telegraphed by the title of this post, we don’t yet know anything about how the Trump administration plans to execute this policy goal. But the fact that this is a goal at all is notable. Ever since the Active Cyber Defense Certainty Act – the “hack back” bill – was first introduced in 2017, some stakeholders have pushed to allow private industry more leeway to take active cyber defense measures.” The strategy appears to conceptually support this goal. It states: “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities …. We will work together to create real risk for adversaries who seek to harm us, and impose consequences on those who do act against us.”  However, the White House’s national cyber director, Sean Cairncross, subsequently took a softer stance, stating: “It’s not your job to defend against the Chinese or the Russians or the Iranians.”

Pillar 2: Promote Common Sense Regulation

In what has been a common refrain from this administration, the strategy promises to “streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally.” It does not identify (or even hint at) what specific frameworks might be streamlined.

Pillar 3: Modernize and Secure Federal Government Networks

Among other things, this pillar promises to “implement[] cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition.” It also presages changes to the federal technology procurement process to “remove barriers to entry so that the government can buy and use the best technology.” It is interesting that this pillar was published at the same time the Department of War executed a very public preemptive strike on who can provide it with artificial intelligence (AI) models. It also appears there may be tension between the goals of standardizing initiatives such as zero trust and cloud transitions across the federal government and the goals of Pillar 2. Once again, we will have to wait and see how the administration puts these goals into practice.

Pillar 4: Secure Critical Infrastructure

The importance of securing critical infrastructure is not new. Ever since the law was passed, the Cybersecurity and Infrastructure Security Agency has been working to iron out reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. What the strategy does is emphasize that this cannot be done by the federal government alone. There must be a partnership among state, local, tribal and territorial authorities. It also notes that security alone cannot be the focus. There must be the ability to recover quickly, highlighting the need to build and test information governance and business continuity capabilities across all elements of critical infrastructure.

Pillar 5: Sustain Superiority in Critical and Emerging Technologies

Here, the administration promises more support for blockchain security, securing the AI technology stack and implementing AI-enabled cyber tools. There is also discussion of identifying and “frustrat[ing] the spread of foreign AI platforms that censor, surveil, and mislead their users.” It is unclear how this policy goal will interact with the offensive goals of Pillar 1.

Pillar 6: Build Talent and Capacity

This pillar is relatively self-explanatory. The goal is to create a pipeline of talent for a highly skilled cyber workforce.

Two Key Takeaways for Stakeholders

1. Security Controls Will Flow Through Procurement

The strategy signals that modernization priorities – zero trust, AI-driven security, post-quantum cryptography – will be implemented through acquisition and contract requirements, not broad regulation. Expect increased scrutiny of system architectures, not just policies.

2. Heightened Supply Chain and Vendor Risk Expectations

The strategy explicitly prioritizes removal of “adversary vendors and products” from federal and critical infrastructure environments and emphasizes supply chain security across energy, telecommunications, healthcare, financial services, water and data centers. Contractors and members of critical infrastructure should begin now by identifying technology dependencies in the products and services they provide and what other options could be available should that technology be deemed a risk by the government. It is also likely they will face pressure to demonstrate resilience and recoverability, not just defensive security capabilities.