1. Document Overview

The purpose of this document is to guide national leaders and policymakers in the development, implementation, and revision of a National Cybersecurity Strategy (NCS), and in thinking strategically about cybersecurity, cyber preparedness, and resilience.

This Guide aims to provide a useful, flexible, and user-friendly framework to set the context of a country’s socio-economic vision and current national cybersecurity posture and to assist national leaders and policymakers in the development or revision of a Strategy that takes into consideration a country’s specific situation, cultural norms, and societal values, while encouraging the pursuit of secure, resilient, digitally empowered, and connected societies.

The Guide is a unique resource, as it provides a framework developed and endorsed by organizations with demonstrated and diverse experience in this topic area and builds on their prior work in this space. As such, it offers the most comprehensive overview to date of what constitutes a successful National Cybersecurity Strategy.

Cybersecurity is a complex challenge that encompasses multiple governance, policy, operational, technical, and legal aspects. This Guide addresses, organizes, and prioritizes many of these areas based on existing and well-recognized models, frameworks, and references. The Guide focuses on protecting civilian aspects of cyberspace and, as such, highlights overarching principles and good practices that need to be considered in the drafting, development, implementation, and revision of a National Cybersecurity Strategy.

To this end, the Guide makes a clear distinction between the “process” adopted by countries during the lifecycle of a National Cybersecurity Strategy (initiation, stocktaking and analysis, production, implementation, reviews) and the “content” (i.e., the actual text that would appear in a National Cybersecurity Strategy document). The Guide does not cover aspects such as the development of defensive or offensive cybersecurity capabilities by a country’s military, defense forces, or intelligence agencies, even though a number of countries have been developing such capabilities.

This Guide addresses (i) “what” should be included in a National Cybersecurity Strategy, and (ii) “how” to build, implement, and review it. The Guide also provides an overview of the core components of what it takes for a country to become cyber-prepared, highlighting the critical aspects that governments should consider when developing their national strategies and action plans.  Finally, this Guide offers national leaders and policymakers a holistic, high-level overview of existing approaches and applications, as well as an online Reference Section with additional and complementary resources that can inform specific national cybersecurity efforts.

This Guide is primarily structured as a resource to help national leaders and policymakers prepare, draft, and manage their National Cybersecurity Strategy. The content is organized to follow the process and order of Strategy development:

• Section 2 – Introduction: provides an overview of the subject of the Guide with related definitions;
• Section 3 – Strategy Development Lifecycle: details the steps in the development of a Strategy and its management during its full lifecycle;
• Section 4 – Overarching Principles for a Strategy: outlines the cross-cutting, fundamental considerations to be taken into account during the Strategy development;
• Section 5 – Focus Areas and Good Practices: identifies the key elements and topics that should be considered during the Strategy development; and
• Supporting Reference Materials (available online at www.ncsguide.org): provides relevant literature that stakeholders can review as part of their drafting and reviewing efforts.

In particular, Section 3 addresses the process and aspects related to the development of a National Cybersecurity Strategy (such as preparation, drafting, implementation, and long-term sustainability), while Section 4 and Section 5 are more focused on the content of a National Cybersecurity Strategy, as they highlight concepts and elements that the document should contain.

This Guide is first and foremost targeted at national leaders and policymakers[1] responsible for developing a National Cybersecurity Strategy. The secondary audience includes other public and private stakeholders involved in the development and implementation of a Strategy, such as responsible government staff, regulatory authorities, law enforcement, providers of digital services, critical infrastructure owners and operators, civil society, academia, and research institutions. The Guide may also prove useful to stakeholders in the international development community that provide assistance in cybersecurity.