In February 2026, the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESAR) published its strategic plan for fiscal years 2026 through 2030. If you work in federal cybersecurity and haven’t read it yet, I’d encourage you to move it up the stack.
CESER is not a peripheral office. As the designated Sector Risk Management Agency for the U.S. electricity and oil and natural gas subsectors, it holds statutory authority over two of the most consequential pieces of national infrastructure in existence. What CESER commits to doing for the next five years is not just a DOE matter. It shapes how the entire federal government approaches critical infrastructure protection.
Three Goals That Define the Next Five Years
The plan is organized around three strategic goals: developing world-class security technologies, hardening U.S. energy infrastructure, and improving the ability to respond to and recover from incidents. Underpinning all three is a guiding principle that I think gets overlooked in coverage of this plan: the commitment to provide timely and actionable information to the energy sector.
That guiding principle is not bureaucratic language. It reflects a deliberate choice to treat information sharing as a structural component of security, not an afterthought.
A Shift in Federal Security Philosophy
One of the more significant signals in the plan is the shift away from an “all hazards” posture toward a risk-informed approach. This aligns with broader Trump administration priorities around streamlining federal preparedness and focusing resources where consequences are most severe.
For federal cybersecurity leaders at agencies adjacent to critical energy infrastructure, this matters. A risk-informed approach demands that you know your threat surface well enough to prioritize. It requires honest conversations about what you would do if grid-dependent operations were disrupted, even for hours.
Why This Document is Important
CESER was established in 2018 with a mandate that its first director described as his highest priority. The 2026 plan reflects how much that mission has grown in scope and urgency. The threats are more numerous, more sophisticated, and more interconnected than they were eight years ago.
If your agency touches energy systems, depends on energy continuity for mission delivery, or operates in any sector that crosses paths with electricity or oil and gas infrastructure, the CESER strategic plan is your context document for the next five years.
In the next article in this series, I break down the four threat categories CESER identifies and what each one means operationally for federal cybersecurity teams. Be sure to come back for more.
Where Does Your Program Stand?
If this raises questions about your agency’s posture, let’s talk.
