A new national cybersecurity strategy, an update on landmark cyber incident-reporting rules and the development of a new artificial intelligence security collaboration group are all in the pipeline for the coming weeks and months.
Trump administration officials discussed a range of cyber policy updates at the Information Technology Industry Council’s Intersect Summit in Washington on Tuesday.
Six-pillar national cyber strategy
White House National Cyber Director Sean Cairncross previewed a forthcoming national cybersecurity strategy, saying it would be out “sooner rather than later.” Cairncross said the strategy will feature “six pillars,” including “shaping adversary behavior.”
“It’s an important piece of this puzzle for us,” he added. “What I mean by that is, right now, in many facets of this equation, response to cyber crime, to things that seek to harm us in cyberspace, is very reactive in a lot of ways. We’re looking for a strategic way to approach these different things – be it nation states, criminal nation-state gangs, criminal actors, scam centers, ransomware groups – in a way that strategically we can work to dent the incentive to engage in that behavior.”
Other pillars include “the regulatory environment and working with industry across different sectors to streamline that in a way that is productive, so that form follows function, rather than a compliance checklist,” Cairncross continued.
The four remaining pillars include securing and modernizing the federal government; securing critical infrastructure; maintaining dominance in emerging technologies; and mitigating the cyber skills and workforce gap, Cairncross explained.
“In each of those different pillars, we have various lines of effort, many of which are underway right now,” he said. “I only have so much time in this job, and any administration is time-limited. And so what we are concerned with, and what President Trump is always concerned with, is action and results. And so we are looking to put points on the board to make things work efficiently, effectively and with maximum impact in all these different priority areas.”
CIRCIA update
Nick Andersen, the Cybersecurity and Infrastructure Security Agency’s executive assistant director for cybersecurity, also said CISA will soon release an update on the Cyber Incident Reporting for Critical Infrastructure Act.
“I think that we’ll have some news on CIRCIA in pretty short order, in the next couple of weeks hopefully,” Andersen told reporters after speaking at the summit.
Congress passed CIRCIA in 2022. The law requires organizations across the 16 designated critical infrastructure sectors to report cyber attacks to CISA within 72 hours.
But the cyber agency must finalize the rules for CIRCIA before it goes into effect.
In 2024, CISA released a proposed CIRCIA rule. At the time, the agency estimated the rule would apply to about 316,000 entities across the country.
But industry has criticized the proposed rule for being overly broad. Industry groups and some lawmakers are also encouraging CISA to “harmonize” the rule with many existing cyber incident reporting mandates.
The CIRCIA regulations were supposed to be finalized in October 2025. But in a regulatory update last year, the Trump administration said it would delay the release of the final rule until May 2026.
House Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.) and other Republicans would like to see CISA open an “ex parte” process to address private-sector concerns about the 2024 proposed rule.
AI-ISAC in development
During his talk onstage at ITI’s conference, Andersen also provided an update on the development of an AI Information Sharing and Analysis Center. The Trump administration’s AI Action Plan called on the Department of Homeland Security to establish an AI-ISAC “to promote the sharing of AI-security threat information and intelligence across U.S. critical infrastructure sectors.”
Andersen said “it is an ongoing policy dialog about the best approach” to organizing the AI-ISAC.
“We just want to make sure we take the opportunity to get that relationship right,” Andersen said. “What we don’t want to have happen is have government establish one group engaged in information sharing, have industry establish a separate, parallel group that’s involved in information sharing.”
ISACs are typically sector-specific, nonprofit organizations that share information and best practices about cybersecurity issues across their respective member groups.
“We just want to make sure we’ve got the right elements of, how do we pull together people and how do we take advantage of the leadership position that we can have early on as we continue to see tremendous investments in America’s success and opportunities within the AI race,” Andersen said. “In general, we want to make sure that that security conversation, that security community of interest we can build is going to be built in the right way.”
AI security policy framework
Meanwhile, Cairncross said the Office of the National Cyber Director is also working on an “AI security policy framework.”
“Our goal is as we move forward, and the president is very forward-leaning on the innovation side of AI, we are working to ensure that security is not viewed as a friction point for innovation, but it is built into that system so that on a foundational level, it exists as this gets up and running and scales and is increasingly infused into daily life,” Cairncross said.
CIPAC replacement coming soon?
DHS last year also disbanded the Critical Infrastructure Partnership Advisory Council (CIPAC). It had provided authorities for government and industry groups to collaborate on security issues through various sector coordinating councils.
Homeland Security Secretary Kristi Noem previously said DHS would come out with a new and improved version of CIPAC. But nearly a year after its disestablishment, that has yet to happen. Cyber experts say the lack of the council’s authorities has led to a drop-off in collaborative discussions about cyber issues between government and industry.
Recent news reports indicate DHS is close to unveiling a new version of the council, called the Alliance of National Councils for Homeland Operational Resilience (ANCHOR).
Andersen wouldn’t comment on the timing for rolling out ANCHOR, but he explained why CISA and DHS were looking to revise the council’s authorities and structure.
“We’re trying to solve for a couple of problems,” Andersen said. “The old CIPAC never made any explicit focus on cybersecurity. That just wasn’t part of what was chartered back in the day when it was originally launched. Additionally, it didn’t give us the opportunities for having focus groups to have conversations like undersea cables might be a good example. [Operational technology] systems might be a good example. OT had to nest itself under the IT Sector Coordinating Council in the past. There’s real opportunities for us to improve opportunities for elements of the community that didn’t necessarily have opportunities to engage in a substantive way in the past, really give them a voice in the process.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
