White House Announces The 2026 Cyber Strategy For America - Forrester

Home > Featured Blogs > White House Announces The 2026 Cyber Strategy For America On Friday, March 6, the Trump administration released the latest US national cybersecurity strategy, President Trump’s Cyber Strategy for America, alongside an executive order on combating cybercrime and fraud. The document, focused on six core pillars, is the briefest cybersecurity strategy released by the US in the last decade. The biggest challenge with the document is its brevity. Coming in at only five pages of text, it lacks substantive guidance on how the initiatives included will be accomplished. With the more verbose guidance released during Trump’s previous term, combined with recent executive orders, there are meaningful ways that organizations can prepare for how this strategy will affect the broader threat landscape and their security programs. We outline each of the six pillars along with guidance on how to prepare for the changes in the national cybersecurity strategy below. Pillar One: Shape Adversary Behavior What to know: This pillar addresses the more contested, aggressive threat landscape, where ransomware gangs, state-aligned criminals, and nation-state operators have exploited US restraint at the national level. More aggressive offensive cyber operations have been a hallmark of both Trump terms. During his first term, the combination of the 2018 Department of Defense Cyber Strategy, the “defend forward” doctrine, and the 2019 National Defense Authorization Act-enabled USCYBERCOM to conduct more aggressive forward operations against foreign infrastructure. These actions laid the groundwork for continued, more aggressive offensive cyber operations, which have achieved significant successes in thwarting attacks. Especially given the cyberattacks used in Venezuela and the conflict taking place in Iran, this document serves as a reminder to USCYBERCOM and the federal government to push forward on more aggressive action. Public and private collaboration will become more important at a time when many of the resources for that collaboration have been downsized. Recognize that a more aggressive federal posture could result in collateral damage, particularly when it comes to cyberattacks associated with wars against smaller nations, where cyberattacks provide an asymmetric advantage. What to do about it: The priority for enterprises should be defensive measures, especially tailored to nations with geopolitical conflicts in which the US is actively involved. For example, after the initial strikes in Iran in 2026, there was a notable escalation in attacks from activists. According to Unit 42, state-backed groups may act in operational isolation, which could change their attack patterns. Given this and the overall more chaotic geopolitical environment, Forrester recommends holding regular sessions on geopolitical risk to continually reevaluate which threat actors are likely to target your organization and to update threat intelligence measures accordingly. Pillar Two: Promote Common Sense Regulation What to know: This pillar advances the Biden-era push for regulatory harmonization, promising “streamlined” and “common sense” regulation. Yet for a pillar that affects virtually every regulated organization in the country, it is sparse in details about what this means. Despite using the same “harmonization” language, in practice, this strategy signals deregulation — a shift away from setting and centralizing consistent, sector-specific cyber baselines. The emphasis is on ensuring that the private sector can operate with agility, but a 2025 Government Accountability Office report found that, rather than seeking deregulation, the industry wanted a single cyber authority, standardized definitions, and regulatory reciprocity to reduce burdens. Expect the federal stance on regulation to stay in flux as the administration selectively tackles regulatory topics. For example, the Cybersecurity and Infrastructure Security Agency (CISA) continues to delay its proposed CIRCIA rule to harmonize incident reporting for critical infrastructure sectors. On the other hand, the White House issued an executive order to prevent states from regulating AI, despite no federal standards being in place. Until more concrete directives materialize, the dominant condition for regulated organizations is uncertainty, not relief. What to do about it: To navigate this uncertainty, leaders must anchor their security programs in frameworks like the NIST Cybersecurity Framework 2.0, regardless of which mandates survive. This is your best technical foundation and a strong hedge against regulatory changes, since it focuses on security capabilities that map to virtually any regulation. Don’t conflate federal deregulation with reduced compliance; instead, map current regulatory obligations to your common control framework and keep it up to date. Lastly, invest in industry information-sharing coalitions now. Information sharing and analysis centers and sector working groups are becoming standard-setting vehicles as federal coordination declines, and early participation gives you influence over what those standards become. Pillar Three: Modernize And Secure Federal Government Networks What to know: This pillar reinforces the importance of Zero Trust in federal systems while calling for modernization and post-quantum readiness. It also highlights the desire to adopt AI for cybersecurity and to speed procurement. With the administration’s changes to CISA and overall downsizing, individual government agencies will be challenged to meet the broad objectives laid out in the strategy. What to do about it: Without further specificity, federal agencies should take the messages in the strategy document seriously. Continue to harden systems by aggressively maturing Zero Trust (including phishing‑resistant multifactor authentication, least‑privilege access, and strong segmentation), implementing post-quantum cryptography (with federal agencies mandated to switch by 2035), and adopting strong AI security measures. Pillar Four: Secure Critical Infrastructure What to know: Critical infrastructure has been a concern of the US federal government since the first comprehensive national strategy to secure cyberspace was released in the Bush administration. While the government’s perspective of how to address critical infrastructure has changed, the private sector has borne the burden of securing those environments. The biggest adjustment with this new strategy is that the government is explicitly directing critical infrastructure providers to move away from working with companies considered “adversary vendors” and to promote the use of US technologies. What to do about it: Regardless of how they intend to go about it, organizations that are designated as critical infrastructure must inventory their tooling and be prepared to shift to domestic or allied suppliers. Document hardware and software technologies (including through software bills of materials) and identify critical technologies that pose a risk alongside those that are simplest to rip and replace. Pillar Five: Sustain Superiority In Critical And Emerging Technologies What to know: This pillar treats emerging technologies as opportunities for power projection and as domains that are actively contested, rather than as solely opportunities for innovation. It acknowledges that companies actively adopting technologies with serious security concerns are a strategic liability for the United States; as part of that, it emphasizes the importance of post-quantum capabilities and prioritizes them in federal infrastructure security measures. This pillar makes it seem as though there is an appetite for more holistic regulation on securing AI systems. But given the rollback of Biden-era executive orders to regulate AI, and the current administration’s focus on “common sense regulations,” which typically means fewer regulations, it’s unlikely this will come to fruition. This pillar signals directionality but is unlikely to have teeth on enforcement. What to do about it: Despite challenges in enforcement, a section dedicated to this topic in the cybersecurity strategy shows its importance. Inventory where your organization uses public‑key cryptography and prioritize long‑lived, sensitive data for early migration to standards‑based, hybrid quantum‑safe algorithms. To secure AI systems, lock down training data and model artifacts, segment AI infrastructure, and monitor for abuse. Pillar Six: Build Talent And Capacity What to know: This pillar pivots from earlier workforce plans by broadening beyond the 2018 strategy’s focus on traditional technical cybersecurity skills (e.g., strengthening the pipeline of network defenders, incident responders, and threat intel analysts, even attracting top talent via merit-based immigration) and the 2023 strategy’s emphasis on governance, risk management, regulatory alignment, and “secure by design” principles. The 2026 strategy envisions a rapid expansion of cyber talent well versed in autonomous systems and AI-enabled defense tools. It frames the cyber workforce as a strategic asset and calls for cross-sector initiatives to quickly broaden the talent pool, shifting roles from manual technical operators to professionals who manage and integrate intelligent security systems as more routine tasks become automated. What to do about it: The implications of this pillar align with Forrester’s cybersecurity talent management advice to clients: Invest heavily and immediately in upskilling through AI-fluent, AI-collaborative training for your teams, and adjust hiring and development plans to emphasize skills in orchestrating and overseeing AI-driven defenses. This is critical to remaining resilient as AI reshapes the security workforce, displacing traditional roles and org structures and demanding a new generation of practitioners. Conclusion The biggest challenge with this strategy is its lack of detailed direction. It skips over international cooperation and collaboration, a core part of the 2023 and 2018 strategies, to prioritize US technology and innovation. Focus on implementing defensive measures outlined in more depth in the 2023 and 2018 strategies first and foremost, especially in the face of what this strategy most clearly signals: a more aggressive posture toward adversaries. If you’re a Forrester client, book an inquiry or guidance session with us if you have any questions about this change in strategy. Categories Cybersecurity Trends Emerging Technology Government Network Security Security Architecture Security Management Security Risk Management Security Services Zero Trust Get The Insights At Work Newsletter Business Email Address* Country* Country United States Åland Islands Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belgium Belize Benin Bermuda Bhutan Bolivia, Plurinational State of Bonaire, Sint Eustatius and Saba Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Cambodia Cameroon Canada Cape Verde Cayman Islands Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Cook Islands Costa Rica Côte d'Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guyana Haiti Heard Island and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, Republic of Kuwait Kyrgyzstan Lao People's Democratic Republic Latvia Lesotho Liberia Liechtenstein Lithuania Luxembourg Macao Madagascar Malawi Malaysia Maldives Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federated States of Moldova, Republic of Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory, Occupied Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Rwanda Saint Barthélemy Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Martin Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Seychelles Sierra Leone Singapore Sint Maarten (Dutch part) Slovakia Slovenia Solomon Islands South Africa South Georgia and the South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania, United Republic of Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates United Kingdom United States United States Minor Outlying Islands Uruguay Uzbekistan Vanuatu Vatican City Vietnam Virgin Islands, British Virgin Islands, U.S. Wallis and Futuna Western Sahara Zambia Zimbabwe Yes, I’d like to receive Forrester’s Insights At Work newsletter and receive occasional survey invitations and marketing communications. Missed It Live? Watch Forrester’s Take On 2026 Scenario Planning Couldn’t make it to the live session? Watch this on-demand webinar to learn how tech leaders are applying scenario planning to budget smarter, balance AI and human talent, and build resilient strategies for whatever 2026 brings. WATCH ON DEMAND Blog RSAC Innovation Sandbox 2026: Two Sides Of AI On Display Heidi Shey 3 Days Ago AI already runs inside most enterprises. Forrester’s Q4 2025 AI Pulse Survey shows that 50% of organizations are piloting agentic AI, while 24% have it in production. Security teams are catching up after the fact. The RSAC Innovation Sandbox (ISB) finalists — Charm Security, Clearly AI, Crash Override, Fig Security, Geordie AI, Glide Identity, Humanix, […] Read More Blog Agentic Development Security: Why AppSec Needs A New Operating Model Janet Worthington 4 Days Ago Application security testing (AST) has reached an inflection point. The market is crowded, capabilities overlap, and detection alone is no longer a source of durable differentiation. DevOps platforms embed security features. Cloud-native application protection platform vendors continue to push left. Application security posture management specialists offer open-source scanning technologies. And AI frontier labs such as […] Read More