Cybersecurity Roadmap Federated States of Micronesia

December 2021

View the original document

Strategies and Action Plans

The cybersecurity roadmap for the Federated States of Micronesia (FSM) outlines a strategic approach to enhancing the nation’s cybersecurity capabilities and resilience over a six-year period. Designed to address current vulnerabilities and anticipated digital security needs, this roadmap aims to strengthen FSM’s digital defences and support a safer online environment for its citizens, institutions, and critical infrastructure.

Purpose and goals

The roadmap is intended to guide FSM’s government in establishing a comprehensive cybersecurity framework that encompasses policy development, governance structures, and regulatory measures. It seeks to create a foundation that enables FSM to effectively manage cybersecurity risks, combat cybercrime, protect critical infrastructure, and safeguard citizens’ personal data. These efforts aim to elevate FSM’s cybersecurity maturity, positioning it as a capable and secure digital nation that can protect against local and global cyber threats.

Background and motivation

The development of this roadmap was motivated by the findings of the Cybersecurity Capacity Maturity Model (CMM) review conducted in January 2020, in partnership with the Asia-Pacific Telecommunity (APT) and the Oceania Cyber Security Centre (OCSC). This review provided FSM with a detailed assessment of its current cybersecurity capabilities, highlighting key areas for improvement, including the development of a national cybersecurity strategy, improved governance, and the need for cybersecurity and cybercrime-related legislation. Based on this evaluation and feedback from local stakeholders, the roadmap was structured to address FSM’s immediate and long-term cybersecurity priorities.

The roadmap is structured across three sequential stages, spanning from foundational actions to advanced cybersecurity measures. Each stage builds on the previous one, ensuring FSM develops the necessary infrastructure, policies, and expertise progressively:

Stage 1 (1-2 years): National cybersecurity foundation

  1. Develop national cybersecurity strategy (NCS): Establish a structured plan to manage cybersecurity risks, define goals, and foster cooperation across public and private sectors. Key preparatory actions include setting up governance, establishing a national CERT (Computer Emergency Response Team), defining critical infrastructure, and addressing risk management.
    • Governance: Appoint a senior leader, like a National Cybersecurity Coordinator, to lead cybersecurity efforts.
    • CERT establishment: FSM CERT will act as the primary national entity for cybersecurity incident coordination, response, and information sharing.
    • Critical infrastructure identification: Define and identify essential services and sectors to protect, with a focus on both public and private sector assets.
    • Risk management and awareness: Regular risk assessments and an awareness program for the public, especially focusing on protecting vulnerable groups online.
  2. Pass cybercrime legislation: Enact laws aligned with international standards, such as the Budapest Convention, to address cybercrime substantively and procedurally. Emphasise law enforcement training and capacity building to support cybercrime investigation.
  3. Information protection law: Enact a classified information protection law to secure sensitive government data, establishing different information protection levels, including for international cooperation.

Stage 2 (2-4 years): Critical infrastructure and response enhancement

  1. Critical infrastructure protection: Build on the critical infrastructure identification efforts by developing and implementing a protection plan for these assets.
  2. Incident reporting and CERT strengthening: Expand FSM CERT’s capabilities by establishing standardised incident reporting guidelines and protocols. This stage includes continuous training, budget allocations, and capacity enhancements for the CERT to manage evolving cybersecurity threats.

Stage 3 (4-6 years): Personal data protection

  1. Enact personal data protection legislation: Establish laws for data privacy to ensure safe digital transformation. This includes guidelines on lawful data collection, storage, and processing to protect citizens’ privacy.