On Friday, March 6, the Trump administration released the latest US national cybersecurity strategy, President Trump’s Cyber Strategy for America, alongside an executive order on combating cybercrime and fraud. The document, focused on six core pillars, is the briefest cybersecurity strategy released by the US in the last decade.

The biggest challenge with the document is its brevity. Coming in at only five pages of text, it lacks substantive guidance on how the initiatives included will be accomplished. With the more verbose guidance released during Trump’s previous term, combined with recent executive orders, there are meaningful ways that organizations can prepare for how this strategy will affect the broader threat landscape and their security programs.

We outline each of the six pillars along with guidance on how to prepare for the changes in the national cybersecurity strategy below.

Pillar One: Shape Adversary Behavior

What to know: This pillar addresses the more contested, aggressive threat landscape, where ransomware gangs, state-aligned criminals, and nation-state operators have exploited US restraint at the national level. More aggressive offensive cyber operations have been a hallmark of both Trump terms. During his first term, the combination of the 2018 Department of Defense Cyber Strategy, the “defend forward” doctrine, and the 2019 National Defense Authorization Act-enabled USCYBERCOM to conduct more aggressive forward operations against foreign infrastructure. These actions laid the groundwork for continued, more aggressive offensive cyber operations, which have achieved significant successes in thwarting attacks.

Especially given the cyberattacks used in Venezuela and the conflict taking place in Iran, this document serves as a reminder to USCYBERCOM and the federal government to push forward on more aggressive action. Public and private collaboration will become more important at a time when many of the resources for that collaboration have been downsized. Recognize that a more aggressive federal posture could result in collateral damage, particularly when it comes to cyberattacks associated with wars against smaller nations, where cyberattacks provide an asymmetric advantage.

What to do about it: The priority for enterprises should be defensive measures, especially tailored to nations with geopolitical conflicts in which the US is actively involved. For example, after the initial strikes in Iran in 2026, there was a notable escalation in attacks from activists. According to Unit 42, state-backed groups may act in operational isolation, which could change their attack patterns. Given this and the overall more chaotic geopolitical environment, Forrester recommends holding regular sessions on geopolitical risk to continually reevaluate which threat actors are likely to target your organization and to update threat intelligence measures accordingly.

Pillar Two: Promote Common Sense Regulation

What to know: This pillar advances the Biden-era push for regulatory harmonization, promising “streamlined” and “common sense” regulation. Yet for a pillar that affects virtually every regulated organization in the country, it is sparse in details about what this means. Despite using the same “harmonization” language, in practice, this strategy signals deregulation — a shift away from setting and centralizing consistent, sector-specific cyber baselines. The emphasis is on ensuring that the private sector can operate with agility, but a 2025 Government Accountability Office report found that, rather than seeking deregulation, the industry wanted a single cyber authority, standardized definitions, and regulatory reciprocity to reduce burdens.

Expect the federal stance on regulation to stay in flux as the administration selectively tackles regulatory topics. For example, the Cybersecurity and Infrastructure Security Agency (CISA) continues to delay its proposed CIRCIA rule to harmonize incident reporting for critical infrastructure sectors. On the other hand, the White House issued an executive order to prevent states from regulating AI, despite no federal standards being in place. Until more concrete directives materialize, the dominant condition for regulated organizations is uncertainty, not relief.

What to do about it: To navigate this uncertainty, leaders must anchor their security programs in frameworks like the NIST Cybersecurity Framework 2.0, regardless of which mandates survive. This is your best technical foundation and a strong hedge against regulatory changes, since it focuses on security capabilities that map to virtually any regulation. Don’t conflate federal deregulation with reduced compliance; instead, map current regulatory obligations to your common control framework and keep it up to date. Lastly, invest in industry information-sharing coalitions now. Information sharing and analysis centers and sector working groups are becoming standard-setting vehicles as federal coordination declines, and early participation gives you influence over what those standards become.

Pillar Three: Modernize And Secure Federal Government Networks

What to know: This pillar reinforces the importance of Zero Trust in federal systems while calling for modernization and post-quantum readiness. It also highlights the desire to adopt AI for cybersecurity and to speed procurement. With the administration’s changes to CISA and overall downsizing, individual government agencies will be challenged to meet the broad objectives laid out in the strategy.

What to do about it: Without further specificity, federal agencies should take the messages in the strategy document seriously. Continue to harden systems by aggressively maturing Zero Trust (including phishing‑resistant multifactor authentication, least‑privilege access, and strong segmentation), implementing post-quantum cryptography (with federal agencies mandated to switch by 2035), and adopting strong AI security measures.

Pillar Four: Secure Critical Infrastructure

What to know: Critical infrastructure has been a concern of the US federal government since the first comprehensive national strategy to secure cyberspace was released in the Bush administration. While the government’s perspective of how to address critical infrastructure has changed, the private sector has borne the burden of securing those environments.

The biggest adjustment with this new strategy is that the government is explicitly directing critical infrastructure providers to move away from working with companies considered “adversary vendors” and to promote the use of US technologies.

What to do about it: Regardless of how they intend to go about it, organizations that are designated as critical infrastructure must inventory their tooling and be prepared to shift to domestic or allied suppliers. Document hardware and software technologies (including through software bills of materials) and identify critical technologies that pose a risk alongside those that are simplest to rip and replace.

Pillar Five: Sustain Superiority In Critical And Emerging Technologies

What to know: This pillar treats emerging technologies as opportunities for power projection and as domains that are actively contested, rather than as solely opportunities for innovation. It acknowledges that companies actively adopting technologies with serious security concerns are a strategic liability for the United States; as part of that, it emphasizes the importance of post-quantum capabilities and prioritizes them in federal infrastructure security measures.

This pillar makes it seem as though there is an appetite for more holistic regulation on securing AI systems. But given the rollback of Biden-era executive orders to regulate AI, and the current administration’s focus on “common sense regulations,” which typically means fewer regulations, it’s unlikely this will come to fruition. This pillar signals directionality but is unlikely to have teeth on enforcement.

What to do about it: Despite challenges in enforcement, a section dedicated to this topic in the cybersecurity strategy shows its importance. Inventory where your organization uses public‑key cryptography and prioritize long‑lived, sensitive data for early migration to standards‑based, hybrid quantum‑safe algorithms. To secure AI systems, lock down training data and model artifacts, segment AI infrastructure, and monitor for abuse.

Pillar Six: Build Talent And Capacity

What to know: This pillar pivots from earlier workforce plans by broadening beyond the 2018 strategy’s focus on traditional technical cybersecurity skills (e.g., strengthening the pipeline of network defenders, incident responders, and threat intel analysts, even attracting top talent via merit-based immigration) and the 2023 strategy’s emphasis on governance, risk management, regulatory alignment, and “secure by design” principles.

The 2026 strategy envisions a rapid expansion of cyber talent well versed in autonomous systems and AI-enabled defense tools. It frames the cyber workforce as a strategic asset and calls for cross-sector initiatives to quickly broaden the talent pool, shifting roles from manual technical operators to professionals who manage and integrate intelligent security systems as more routine tasks become automated.

What to do about it: The implications of this pillar align with Forrester’s cybersecurity talent management advice to clients: Invest heavily and immediately in upskilling through AI-fluent, AI-collaborative training for your teams, and adjust hiring and development plans to emphasize skills in orchestrating and overseeing AI-driven defenses. This is critical to remaining resilient as AI reshapes the security workforce, displacing traditional roles and org structures and demanding a new generation of practitioners.

Conclusion

The biggest challenge with this strategy is its lack of detailed direction. It skips over international cooperation and collaboration, a core part of the 2023 and 2018 strategies, to prioritize US technology and innovation. Focus on implementing defensive measures outlined in more depth in the 2023 and 2018 strategies first and foremost, especially in the face of what this strategy most clearly signals: a more aggressive posture toward adversaries.

If you’re a Forrester client, book an inquiry or guidance session with us if you have any questions about this change in strategy.