The White House’s Office of the National Cyber Director (ONCD) released its highly-anticipated 2026 National Cybersecurity Strategy, outlining how the U.S. federal government intends to protect government systems, critical infrastructure, businesses, and American citizens in an increasingly contested digital environment. 

The Center for Cybersecurity Policy and Law welcomes the release of the strategy, applauds the clear direction it provides to address the United States’s most pressing cybersecurity challenges, and looks forward to seeing more details on how it will be implemented. 

Through six core pillars, the strategy sets out an agenda that spans a wide range of issues. It seeks to reset the nation’s posture in cyberspace by prioritizing deterrence, strengthening national resilience, and ensuring American technological leadership. The goal is to raise the cost of malicious cyber activity for criminal and nation-state adversaries, shift the burden of defense from private companies alone to a coordinated federal-private partnership, and streamline regulations to promote innovation and board-level accountability. It aims to modernize and harden federal networks, secure critical infrastructure sectors, accelerate adoption of emerging technologies such as AI and post-quantum cryptography, and build a sustainable cyber talent pipeline.

Below is a closer look at the six pillars:

Pillar 1: Shape Adversary Behavior 

The current model for deterrence in cyberspace is broken, the strategy posits. In this pillar, the strategy calls for a fundamental recalibration of the U.S.’ posture that  recognizes that deterrence requires more than defense alone. To alter the strategic calculus of adversaries targeting the country, the strategy foresees  a full spectrum of lawful defensive and offensive capabilities to impose real, predictable costs on nation-states and cybercriminals. 

This will require coordinated disruption, sanctions, and public-private operational collaboration, particularly against advanced persistent threats (APTs) and ransomware actors. By pairing legal clarity with proportionate consequences, the U.S. can deter malicious activity, counter authoritarian digital expansion, and treat cybercrime as the national security threat it has become. 

The Center looks forward to working with the Administration to help define how the private sector can responsibly and effectively operate alongside the U.S. government in the context of offensive cybersecurity operations. We welcome a collaborative dialogue that balances national security imperatives with legal clarity, risk management, and the unique capabilities of industry.

Pillar 2: Promote Common Sense Regulations

Under this pillar, the strategy calls for reforms to the U.S.’ approach to cybersecurity regulations. This notability includes greater harmonization across existing regulatory frameworks and a focus on ensuring that remaining requirements are technology agnostic – enabling practitioners to leverage cutting-edge tools – and materially improve cybersecurity outcomes. 

The Center supports the strategy’s plan to tackle unnecessary, duplicative regulations at home and urge ONCD to convene stakeholders from across the federal government and Congress in this effort. 

We also encourage the administration to take a leadership role among international partners on regulatory cooperation efforts, where some of the most challenging divergence occurs for businesses. Through the Coalition to Reduce Cyber Risk, the Center is actively working to align existing regulatory requirements and establish mechanisms to avert divergence in future cyber policymaking initiatives. We look forward to working with ONCD and other U.S. Government stakeholders on these efforts.

Pillar 3: Modernize and Secure Federal Government Networks 

In this pillar, the strategy recognizes that, in order to make the federal enterprise more defensible and resilient, its information systems must be modern and up-to-date. As the U.S. government accelerates modernization efforts, it must implement cybersecurity best practices, migrate to post-quantum cryptography, transition to cloud environments, and deploy zero trust architectures. 

To defend and deter threats targeting these modernized systems, the Center urges  the federal government to develop dedicated threat hunting teams and leverage advanced AI-enabled cybersecurity capabilities in these efforts.

Pillar 4: Secure Critical Infrastructure

The strategy calls on both public and private sector entities to adopt U.S. or allied technology stacks and reduce reliance on vendors based in adversarial nations. Specifically, it emphasizes the need to secure a number of critical infrastructure sectors relevant to national defense, such as telecommunications, energy, data centers, healthcare, and water. To advance these objectives, the strategy seeks to strengthen interagency coordination and mobilize state and local authorities to enhance preparedness and resilience, complementing – rather than substituting for – federal responsibility. 

The Center strongly supports resilience as a national imperative and the need to address risks associated with untrusted vendors. The challenge now is execution. Congress laid important groundwork with the Cybersecurity Information Sharing Act of 2015 (CISA 2015), which established a framework for real-time cyber threat information sharing and provided liability protections that enable trusted collaboration between industry and from industry to government. A long-term extension of that framework remains essential for identifying and mitigating risks impacting critical infrastructure.

Equally important is the replacement for the Critical Infrastructure Partnership Advisory Council (CIPAC). To achieve the vision of the strategy,  a venue for structured, protected public–private coordination is necessary. CIPAC’s replacement should serve as the operational backbone for aligning risk discussions, sector-specific realities, and resilience planning.

As the U.S. works to reduce reliance on untrusted vendors, the government and the private sector should jointly develop a clear set of principles to guide action. Trusted vendor approaches will only be effective — and durable — if it reflects both national security imperatives and operational realities.

Pillar 5: Sustain Superiority in Critical and Emerging Technology

Under this pillar, the Strategy calls for the development of secure technologies that protect users from design through deployment. This includes a secure AI technology stack, AI-enabled cybersecurity tools, broader adoption of post-quantum cryptography, secure quantum computing, and agentic AI capabilities to disrupt adversarial networks. 

The Center supports the use of AI to strengthen cyber defense and urges the development of a proactive national strategy to ensure an effective transition to post-quantum cryptography.

Pillar 6: Build Cyber Talent and Capacity

Effective implementation of the priorities set out in the strategy depends on a robust pipeline of cybersecurity talent. To this end, the strategy calls for training young cybersecurity leaders, and streamline existing workforce development initiatives, and leverage venture capital-backed incubators. 

The Center is very supportive of these initiatives, particularly those focused on strengthening the federal cybersecurity workforce. Building and retaining technical expertise within federal agencies is essential to keeping federal networks safe, and thus to empowering all federal agencies to execute on mission-critical responsibilities for the American people. 

Join CCPL's Ari Schwartz, Alex Botting, and Caitlin Clarke for a webinar on March 11 where they will discuss the strategy. Register here.