On Friday, March 7, the Trump administration released the latest US national cybersecurity strategy: President Trump’s Cyber Strategy for America, alongside an Executive Order on combating cybercrime and fraud.  The document, focused on six core pillars, is the briefest cybersecurity strategy released by the US in the last decade.

The biggest challenge with the document is its brevity. Coming in at only 5 pages of text, it lacks substantive guidance on how the initiatives included will be accomplished. With the more-verbose guidance released during Trump’s previous term, combined with recent executive orders, there are meaningful ways organizations can prepare for how this strategy will affect the broader threat landscape and their security programs.

We outline each of the six pillars along with guidance on how to prepare for the changes in the national cybersecurity strategy below.

Pillar 1: Shape Adversary Behavior

What to know: Pillar 1 addresses the more contested, aggressive threat landscape, where ransomware gangs, state-aligned criminals, and nation-state operators have exploited US restraint at the national level. More aggressive offensive cyber operations have been a hallmark of both Trump terms. During his first term, the combination of the 2018 DoD Cyber Strategy, the Defend Forward doctrine, and the FY2019 NDAA enabled USCYBERCOM to conduct more aggressive forward operations against foreign infrastructure. These actions laid the groundwork for continued, more aggressive offensive cyber operations, which have achieved significant successes in thwarting attacks.

Especially given the cyberattacks used in Venezuela and the conflict taking place in Iran, this document serves as a reminder to USCYBERCOM and the federal government to push forward on more aggressive action. Public and private collaboration will become more important at a time when many of the resources for that collaboration have been downsized. Recognize that a more aggressive federal posture could result in collateral damage, particularly when it comes to cyberattacks associated with wars against smaller nations, where cyberattacks provide an asymmetric advantage.

What to do about it: The priority for enterprises should be defensive measures, especially tailored to nations with geopolitical conflicts in which the US is actively involved. For example, after the initial strikes in Iran in 2026, there was a notable escalation in attacks from activists. According to Unit 42, state-backed groups may act in operational isolation,  which could change their attack patterns. Given this and the overall more chaotic geopolitical environment, Forrester recommends holding regular sessions on geopolitical risk to continually reevaluate which threat actors are likely to target your organization and to update threat intelligence measures accordingly.

Pillar 2: Promote Common Sense Regulation

What to know: Pillar 2 advances the Biden-era push for regulatory harmonization, promising “streamlined” and “common sense” regulation. Yet for a pillar that affects virtually every regulated organization in the country, it is sparse in details about what this means. Despite using the same “harmonization” language, in practice this strategy signals deregulation — a shift away from setting and centralizing consistent, sector-specific cyber baselines. The emphasis is on ensuring the private sector can operate with agility. However, a 2025 GAO report found that, rather than seeking deregulation, industry wanted a single cyber authority, standardized definitions, and regulatory reciprocity to reduce burdens.

Expect the federal stance on regulation to stay in flux as the administration selectively tackles regulatory topics. For example, CISA continues to delay its proposed CIRCIA rule to harmonize incident reporting for critical infrastructure sectors. On the other hand, the White House issued an executive order to prevent states from regulating AI, despite no federal standards being in place. Until more concrete directives materialize, the dominant condition for regulated organizations is uncertainty, not relief.

What to do about it: To navigate this uncertainty, leaders must anchor their security programs in frameworks like the NIST CSF 2.0, regardless of which mandates survive. This is your best technical foundation and a strong hedge against regulatory changes since it focuses on security capabilities that map to virtually any regulation. Don’t conflate federal deregulation with reduced compliance; instead, map current regulatory obligations to your common control framework and keep it up to date. Lastly, invest in industry information-sharing coalitions now. ISACs and sector working groups are becoming standard-setting vehicles as federal coordination declines, and early participation gives you influence over what those standards become.

Pillar 3: Modernize and Secure Federal Government Networks

What to know: Pillar 3 reinforces the importance of Zero Trust in federal systems while calling for modernization and post-quantum readiness. It also highlights the desire to adopt AI for cybersecurity and to speed procurement. With the administration’s changes to CISA and overall downsizing, individual government agencies government will be challenged to meet the broad objectives laid out in the strategy.

What to do about it: Without further specificity, federal agencies should take the messages in the strategy document seriously. Continue to harden systems by aggressively maturing Zero Trust (including phishing‑resistant MFA, least‑privilege access, and strong segmentation), implementing post-quantum cryptography (with federal agencies mandated to switch by 2035), and adopting strong AI security measures.

Pillar 4: Secure Critical Infrastructure

What to know: Critical infrastructure has been a concern of the US federal government since the first comprehensive national strategy to secure cyberspace was released in the Bush administration. While the government’s perspective of how to address critical infrastructure has changed, the private sector has borne the burden of securing those environments.

The biggest adjustment with this new strategy is that the government is explicitly directing critical infrastructure providers to move away from working with companies considered “adversary vendors” and to promote the use of U.S. technologies.

What to do about it: Regardless of how they intend to go about it, organizations that are designated as critical infrastructure must inventory their tooling and be prepared to shift to domestic or allied suppliers. Document hardware and software technologies (including through SBOMs) and identify critical technologies that pose a risk alongside those that are simplest to rip and replace.

Pillar 5: Sustain Superiority in Critical and Emerging Technologies

What to know: Pillar 5 treats emerging technologies as opportunities for power projection and as domains that are actively contested, rather than as sole opportunities for innovation. It acknowledges that companies actively adopting technologies with serious security concerns are a strategic liability for the United States; as part of that, it emphasizes the importance of post-quantum capabilities and prioritizes them in federal infrastructure security measures.

This pillar makes it seem as though there is an appetite for more holistic regulation on securing AI systems. However, given the rollback of Biden-era executive orders to regulate AI, and the current administration’s focus on “common sense regulations,” which typically means fewer regulations, it’s unlikely this will come to fruition. This pillar signals directionality but is unlikely to have teeth on enforcement.

What to do about it: Despite challenges in enforcement, a section dedicated to this topic in the cybersecurity strategy shows its importance. Inventory where your organization uses public‑key cryptography and prioritize long‑lived, sensitive data for early migration to standards‑based, hybrid quantum‑safe algorithms. To secure AI systems, lock down training data and model artifacts, segment AI infrastructure, and monitor for abuse.

Pillar 6: Build Talent and Capacity

What to know: Pillar 6 pivots from earlier workforce plans by broadening beyond the 2018 strategy’s focus on traditional technical cybersecurity skills (e.g., strengthening the pipeline of network defenders, incident responders, threat intel analysts, even via merit-based immigration to attract top talent) and the 2023 strategy’s emphasis on governance, risk management, regulatory alignment, and “secure by design” principles.

The 2026 strategy envisions a rapid expansion of cyber talent well-versed in autonomous systems and AI-enabled defense tools. It frames the cyber workforce as a strategic asset and calls for cross-sector initiatives to quickly broaden the talent pool, shifting roles from manual technical operators to professionals who manage and integrate intelligent security systems as more routine tasks become automated.

What to do about it: The implications of this pillar align with Forrester’s cybersecurity talent management advice to clients: invest heavily and immediately in upskilling in AI-fluent, AI-collaborative training for your teams and adjust hiring and development plans to emphasize skills in orchestrating and overseeing AI-driven defenses. This is critical to remaining resilient as AI reshapes the security workforce, displacing traditional roles and org structures, and demanding a new generation of practitioners.

Conclusion

The biggest challenge with this strategy is its lack of detailed direction. It skips over international cooperation and collaboration, a core part of the 2018 and 2023 strategies, to prioritize U.S. technology, innovation, and. Focus on implementing defensive measures outlined in more depth in the 2023 and 2018 strategies first and foremost, especially in the face of what this strategy most clearly signals: a more aggressive posture towards adversaries.

If you’re a Forrester client, book an inquiry or guidance session with us if you have any questions about this change in strategy.