2020-2024 Strategic Technology Roadmap Overview

Through analyzing 330 technical security assessments —from CISA, FSLTT, partners, and private industry—as well asongoing research, CISA was able to identify new capabilitydemands. Importantly, these new capability demandsare opportunities to build upon planned CD&Es with newtechnologies and to enhance the existing CISA MissionEnvironment (CME). These capability demands span thetechnology domains of Common Defensive Cyber Technologies,Common Defensive Cyber Operations Technologies, andUnique SLTT and Sector Partners Technologies.STRv2CAPABILITYDEMANDSSTRv2 categorizes the new capability demands into 14demand areas—7 derived from technical security assessmentsand 7 from ongoing research and development (R&D) efforts.The 14 demand areas, in turn, map to 4 user domains and 6capability categories:1CAPABILITY DEMANDAREAS GAPSCOMMON DEFENSIVECYBER TECHNOLOGIES(.GOV, SLTT, ANDSECTOR PARTNERS)1.1PREVENTION AND DETECTION1.1.11.1.21.1.3Deception TechnologiesSoftware Assurance and Vulnerability MgtData Protection1.2ANALYTICS1.2.1ML – Large-Scale AnalyticsSTRv2CAPABILITYFORECASTINGCOMMON DEFENSIVECYBER OPSTECHNOLOGIESUNIQUE SLTT& SECTOR PARTNERSTECHNOLOGIES2.1NETWORK SECURITY ANDINFRASTRUCTURE MGT2.1.12.1.22.1.32.1.42.1.52.1.6ML – SOARNetwork Systems SecurityAuthoritative Time SourceCaller ID SpoofingMobile Device SecurityPasswordless Authentication3.1NETWORK SECURITY ANDINFRASTRUCTURE MGT3.1.1Non-IP Based ICS/SCADA ProtocolMonitoringICS Patching3.1.2SOAR technologies enable organizations toautomate IT security actions–such as loggathering, quarantining a file, hashing a file, orrunning an analytic. Organizations can then linkthese actions as well as non-security-specificactions together to execute security processes.has the potential to disrupt the basicfunctionality of private and public IT ecosystems; expands capabilities that may align with existing,planned, or future organizational functions; is not yet commercially available, meaning it isat some stage of formal R&D; and has the potential to counter known andunrealized/early pipeline adversary capabilitiesML can augment SOAR capabilities byautomating repetitive tasks. Incorporating MLinto SOAR can also allow the automation ofhistorical courses of action (COAs) taken bysecurity analysts. Automating these can freeup analysts’ time that would otherwise be useddetermining the most appropriate COAs forgiven incidents.The value of ML and SOAR to an organization isin these technologies enabling staff to focus onhigher priority or strategic efforts.Using this criteria, CISA was able to identify 27candidate projects from DHS S&T and the DefenseAdvanced Research Projects Agency.CISA was able to align candidate projects to all but 3of the 14 capability demand areas:1. Machine Learning (ML) and SecurityOrchestration, Automation, and Response(SOAR)4COMMUNICATIONSCISA Strategic Technology Roadmap OverviewML AND SOARThe R&D project:(.GOV, SLTT, ANDSECTOR PARTNERS)31.In STRv2, CISA aligned 11 of the 14 STRv2capability demand areas to relevant, active R&Dprojects—both internal to DHS, in the DHS Scienceand Technology (S&T) directorate, and external.CISA used the following criteria to make selections:. 2These three gaps between capabilitydemands and R&D projects can informorganizations of new projects thatmay need to be created to addressCISA equities.84.1NATIONAL SECURITY/EMERGENCY PREPAREDNESS(NS/EP) COMMUNICATIONS4.1.1Next Generation Network Priority Services(NGN-PS) for IP-Based Environment(Transition to IP-Based Communications)4.2EMERGENCY COMMUNICATIONS4.1.1CAD InteroperabilityCISA Strategic Technology Roadmap Overview2. Next Generation Network Priority Services(NGN-PS) for IP-Based Environment#3. Computer-aided dispatch (CAD) InteroperabilityCISA Strategic Technology Roadmap Overview9CISA Strategic Technology Roadmap Overview

2.NGN-PS FORIP-BASEDENVIRONMENTNote: as the roadmap for the CISA level 1 acquisition program, NextGeneration Network Priority Services (NGN-PS) was unavailable duringSTRv2 development, the CISA CTO team analyzed NGN-PS artifacts toderive capability demands.3 The network must be able to uniquely identify priority user trafficand associate the authorized level of priority to that traffic. The network must have prioritization means to apply to theidentified traffic.For cases where networks interconnect, traffic prioritizationindicators must be securely passed to interconnected networks fordownstream prioritization.i tybileraropednteasDIP-BCAo I onsAn t atiADi ti o i cSCns unS/ gTraommIC ri nCed itoas onPB lMr cen-I coouN o tooeSPrT imveatiThe priority user must be authenticated and authorized to receivepriority treatment.ri tthoCISA collaborates with the public and privatesectors to ensure the public safety and nationalsecurity and emergency preparedness (NS/EP)communications community has access to prioritytelecommunications and restoration services tocommunicate under all circumstances. CISA iscurrently executing an NGN-PS acquisition programto evolve priority service capabilities from circuitswitched to IP-based packet-switched networks. R&D PROJECTSAuThe evolving NGN-PS program must address priority data, video, andinformation services capabilities on the service providers’ wireline andwireless IP telecommunications networks. Priority data services shouldinclude services such as email, SMS, streaming video, enterpriseaccess, web access/browsing, and other currently used data services.Many of these data services use the public internet either completelyor partially. The role of the network within the priority services platformis to enforce priority levels on traffic associated with priority users.There are several factors critical to this enforcement function:See table for the list of R&D projects that map to the 11 capability demand areas.STRv2 provides project descriptions. CISA encourages interested readers to contactCISA Chief Technology Office via the CISA Service Desk for further details concerningthese R&D projects.sRti cOAaly--SAnMLlecaeSiesarglog--LnoMLchTe)on ityypti elri tce fidcuDe ighSe(hmss teSyorktwNengfiooonSpatiti cr IDenlleCauthsAesrdlywori tsscuPaSei ceeveDbilMoghinatcSPIConctid totean enPrce emtaran agDasu anAs ty Mare bilif tw r aSo ulneVNGN-PS will enable NS/EP users to have priority voice, data, andvideo communications as the communications networks evolve.4 Theeffectiveness of NGN-PS has a direct effect on NS/EP users’ ability toperform essential job functions. NGN-PS should benefit public safetycommunications by ensuring that first responder voice, video, and datacapabilities are operational during a national emergency.R&D PROJECTSMAPPED TOCAPABILITYDEMAND AREASChip-Scale Optical Atomic ClockDeep Packet Intelligence forIndustrial Control Systems (DEPICT)Timely and Robust Patching of IndustrialControl Systems (TROPICS)SWA Market Place (SWAMP)Application Security Threat andAttack Modeling (ASTAM)Autonomous Detection and Healingof Silent Vulnerabilities Phase IISoftware Quality Assurance (SQA)Static Analysis Tools ModernizationProject (STAMP)Advanced External UserAuthentication (AEUA)Bridging Configuration Management andVulnerability AssessmentDataProtectEmail SecurityNetIdentify3.CADINTEROPERABILITYCAD-to-CAD interoperabilityenables emergency respondersto share vital data and voiceinformation across disciplinesand jurisdictions to successfullyrespond to day-to-day incidentsand large-scale emergencies.Although it is often assumed thatemergency response disciplinesand jurisdictions alreadyseamlessly coordinate with eachother, the current reality is thatjurisdictions across the UnitedStates have a ways to go beforefully actualizing CAD-to-CADinteroperability for data and voicecommunications.Because it automates thedispatch of resources based onproximity to the incident and typeof resources required, CAD-toCAD interoperability reducesresponse time, potentially savinglives. However, the realization ofinteroperability is threatened byother emerging technologies anda lack of standardization amongsolutions. CISA intends for itstechnology investment in interoperability to help develop a standardized information exchange,technical data exchange modeland dictionary, and a standardreference architecture thatincludes necessary cybersecuritycapabilities.MitigatINg IOt-based DDoSattacks via DNS (MINION)Planning for Anycast and AntiDDoS (PAADDoS)Software Defined DDoSProtection PlatformSoftware Defined Networking forDDoS DefenseSoftware dEfined NetworkingSecurity Service (SENSS)Do Not Spoof Services forModern TelephonyVerification of CallerAscertained Logically (VOCAL)A Layered Service Provider/CustomerApproach to Call SpoofingCyber Analytics and PlatformCapabilities (CAPC)Towards Outcome-based CybersecurityRisk ManagementFoundations of ThreatIntelligence MetricsAdvancing Scientific Study of InternetSecurity and Topological StabilityInternet Risk Assessment andMitigation (I-RAM)3STRv3 is targeting all technology-related acquisition programs.CISA. (2019, July 17). Emergency Communications Division Priority Telecommunications Services. Retrieved from urvey-target-id4CISA Strategic Technology Roadmap Overview10CISA Strategic Technology Roadmap OverviewMobile Security R&D4CISA Strategic Technology Roadmap Overview111111371701100CISA Strategic Technology Roadmap Overview

The final section of STRv2 looks past CISA’s 5-year planning cycle tothe relationships between: Current market leading technologies, Emerging technologies or those technologies with potential forcapturing significant market share or creating new markets, and Projects in the R&D pipeline.BEYOND 2025:TECHNOLOGY SPECULATIONSTRv2 focuses CISA technology speculation on two broad technologyareas, each of which are composed of many independently evolvingtechnologies: Mesh of Things and production quantum computing.MESH OF THINGS:SELF-ORGANIZINGINFRASTRUCTURE ANDSERVICES DELIVERYPRODUCTION QUANTUMCOMPUTINGQuantum computing allows for many states toconcurrently operate classical analog algorithmsin parallel rather than the serial approach oftraditional computing. This speed can both enablemore powerful means of encryption and concurrentlymake existing encryption capabilities ineffective.The source of this speed is quantum particles—qubits—that can exist in a simultaneous state ofboth 1 and 0. The beauty of qubits from a cybersecurity perspective is that, if a malicious actortries to observe them in transit, their super-fragilequantum state “collapses” to either 1 or 0, thusprotecting the data. Because quantum computinghas the potential, someday, to both positively andnegatively impact the security of communicationssystems, CISA is interested in its ongoing researchand development, particularly as commercialand academic communities drive towardquantum supremacy.The growth of the Internet of Things (IOT) iscontinuing to pick up momentum, driving researchand development focused on the “Mesh ofThings,” a code-based, self-healing infrastructurethat may move computing workload and datastorage to an increasingly decentralizedarchitecture. Because this move pushes powerand storage demand closer to the consumer, itmay enable greater compute and storagecapabilities for higher-order analytics. Theend result will be faster networks and—due tocharacteristics of mesh device relationships andthe mesh’s self-healing infrastructure—significantlygreater resilience. The latter result makes theMesh of Things of particular interest to CISA.CISA Strategic Technology Roadmap Overview12CISA Strategic Technology Roadmap OverviewCONCLUSIONSTRv3CISA has developed the STR iteratively—incorporating lessons learned, improvingmethods, and expanding coverage to theentire agency—and will continue to do so withfuture versions.STRv1, released in early 2019, focusedexclusively on CISA’s National CybersecurityProtection System (NCPS) and theContinuous Diagnostics and Mitigation (CDM)programs. STRv1 relied primarily on thefindings of CISA’s .govCAR technology securityassessments as the basis for identifyingcapability demands.STRv2 added CISA’s Next GenerationNetwork Priority Services (NGN-PS) programs,significantly improved analysis methods, anda wider swathe of security and vulnerabilitysecurity assessments for identifyingcapability demands and forecastingcapabilities. CISA applied STRv2 to itsresource allocation plan (RAP) and programdecision options (PDOs). STRv2 also deliveredthe basis of a new reference architecture.In addition, it delivered specific findings andrecommendations as output from extensiveanalysis across hundreds of artifacts.STRv3 will also include new content onstandards bodies and emerging standardsof interest. Specifically STRv3 will focuson identifying standards in their earlydevelopment that could impair CISA’sability to successfully execute mission orhave some other negative effect on nationalsecurity interests.Looking further ahead to STRv4 —whileit’s too early to speculate on content—one objective will be to produce multipleversions for specific audiences. For example,CISA will develop a vendor/manufacturerversion for industry day types of events,an online interactive version that allowsviewers to isolate content through pointand-click actions on live charts, and a formalpublication for others—including decisionmakers, the acquisition executive, programmanagers, and systems engineers—responsible for continuously evolving CISA’stechnology capabilities beyond those of theNation’s adversaries.In STRv3, CISA expects to further refinemethods and better align publication withthe planning, programming, and budgetingexecution (PPBE) cycle; doing so willimprove the STR’s utility to the greater CISAcommunity. STRv3 will cover cyber, criticalinfrastructure, and communications—the fullspectrum of the CISA mission space.CISA Strategic Technology Roadmap Overview13CISA Strategic Technology Roadmap Overview

CISA Strategic Intent14CISA Strategic Intent

Roadmap (STR) publication. Specifically, it identifies the priorities of STR version . 2, 2020-2024 (STRv2) for organizations who are planning to develop candidate technologies to meet CISA capability demands. Additionally, it provi