On March 6, 2026, the White House released President Trump's Cyber Strategy for America (the strategy). The document builds upon earlier cyber-related actions and describe the Administration's policies and postures on cybersecurity. This Insight describes these documents and provides context for Congress.
The Administration's Cyber Strategy includes six pillars—each of which mirrors previous governmental policies toward improving cybersecurity. The pillars are cross-cutting and would involve a variety of federal agencies (e.g., Department of Defense, Department of Justice, and Department of Homeland Security) as well as the private sector.
The National Cyber Director said that this strategy would be accompanied by an action plan. That plan does not appear to have been released along with this strategy. The action plan itself may reveal differences and nuance between the Trump Administration's cyber strategy and those of previous Administrations.
The strategy provides high-level policy outlines of the Administration's cybersecurity objectives. How these objectives are accomplished and what effects these documents might have on agency budget requests and priorities remain to be seen. While Congress awaits greater detail (e.g., in a plan or through executive orders), it may choose to consider the implications of current policy and how this may be encouraging or discouraging the Administration's goals.
The strategy calls the cyber workforce a "strategic asset." Congress has taken interest in the nation's cybersecurity workforce in the past—enacting laws related to scholarships, recruitment and retention, and compensation of cyber-skilled federal employees. Congress has also investigated the pipeline of workers available for cybersecurity jobs across the country and within the armed services. Congress may choose to conduct oversight on existing cyber workforce growth initiatives, or expand workforce considerations to include the role of immigration, AI and automation, and reducing barriers for workers to have their careers include both government and the private sector work.
The Administration is seeking to advance zero-trust architecture, post-quantum cryptography, cloud computing, and AI to improve federal network security. However, the Trump Administration rescinded some of the Biden Administration's previous efforts to achieve these same outcomes. The extent to which the Trump Administration's efforts will be evolutionary, complementary, or antithetical to previous efforts, or substitute for them, remains to be seen.
Most of Congress's concerns around federal network security focus on authorities and resources. For instance, such issues were addressed when Congress updated the main federal information technology security law (the Federal Information Security Modernization Act of 2014, or FISMA) in 2014. There have been recent attempts to update it. Additionally, the Administration may identify authority and gaps in resources that it requests Congress to address. For instance, multiple Administrations have surfaced the issues of costs associated with maintaining legacy systems and purchasing cybersecurity tools as a source of risk for federal agencies.
The strategy seeks to incentivize the private sector to find and disrupt adversarial networks. This is akin to the "hack-back"debate Congress has engaged in for a number of years. It has been difficult to advance the debate, because there are many outstanding questions:
The previous cyber strategy also sought to engage the private sector, but to collaborate on combatting malicious actors and building more secure products. This strategy suggests that the private sector will directly and independently engage malicious cyber actors.
The strategy suggests a more aggressive posture from the United States government pertaining to the actions it may take against adversaries. The past four Administrations have issued sanctions and indictments in response to cyberattacks. Congress has authorized the Department of Defense (now "using a secondary Department of War designation," under Executive Order 14347 dated September 5, 2025) to engage nation-state adversaries and Mexican TCOs in cyberspace. It is unclear if the Trump Administration will request new authorities or resources to engage in amplified cyber-offensive activities.