Just a few months after releasing an updated and comprehensive National Cybersecurity Strategy, the White House released its National Cybersecurity Strategy Implementation Plan delegating responsibilities to move a number of initiatives forward.
The National Cybersecurity Strategy released at the beginning of March vowed to build “a more defensible and resilient digital ecosystem” through “generational investments” in cyber infrastructure, increased digital diplomacy and private-sector partnerships, regulation of critical sectors, and allowing software firms to be held liable if their products hold the door open for hackers.
The strategy is built on five pillars: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals. It called for establishing cybersecurity regulations in critical sectors, harmonizing and streamlining new and existing regulations, helping regulated entities absorb cybersecurity costs, enhancing public-private collaboration including data sharing, reshaping laws that govern liability for data losses and harm caused by cybersecurity errors, and more.
“It is a positive sign that the administration continues to be transparent and timely in its work on the Cybersecurity Strategy and the public release of the Implementation Plan with associated fanfare is appropriate,” Bob Kolasky, who led the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center as one of CISA’s assistant directors, told HSToday. “It would have been good if that had been coupled with the announcement of a permanent nominee to be National Cyber Director — but, hopefully, such an announcement is impending. Current Acting NCD Kemba Walden has done a great job leading this work.”
Former Chief Information Officer for the DHS Countering Weapons of Mass Destruction (CWMD) Office Antonio Villafana told HSToday that “what really stands out” in the implementation plan “is the detailed instructions and expectations of the 65 federal initiatives across five pillars.”
“Several agencies have been tasked with providing oversight of assigned pillar and objectives. This approach, I believe, will be pivotal to the overall success of this EO,” said Villafana, an HSToday Editorial Board member. “The pillar I’ll be monitoring very closely is Pillar One, which establishes regulations and standards to strengthen the defenses of our critical infrastructure in both private and public sectors. Recent reporting points to increased attacks on our critical infrastructure in the coming years.”
The Office of the National Cyber Director was tasked with coordinating implementation of the National Cybersecurity Strategy under the oversight of the National Security Council and working with interagency partners to develop and publish an implementation plan. ONCD will coordinate execution of the implementation plan and will work with the Office of Management and Budget to shape funding proposals accordingly. ONCD will also be releasing an RFI in the “near future” for “information regarding cybersecurity regulatory harmonization,” the White House said.
“If agencies aren’t resourced to carry out their cyber missions, they cannot do their jobs and we won’t see any progress,” former CISA Senior Advisor Katherine Ledesma told HSToday.
“As with the strategy, Congress is a major stakeholder,” said Kolasky, an HSToday Editorial Board member. “Ensuring that consultation with the legislative branch is ongoing in areas where new authorities are needed remains key. I am hopeful that this plan will lead to meaningful legislative proposals that will get real consideration in next year’s Congress.”
The 57-page National Cybersecurity Strategy Implementation Plan released Thursday says it is the “first iteration” of a “living document that will be updated annually.”
“I would like to see this updated not only as the threat landscape changes, but also with progress and impact,” Ledesma said. “Reporting on initiative completion will be important, but even more important will be impact. Have we actually reduced cyber risk to the nation and our critical infrastructure? This will be the question the community is looking to answer as implementation begins.”
The plan includes more than 65 initiatives assigned to 18 federal agencies with timelines for completion, but is not all-inclusive of agency activities that work toward implementing the cybersecurity strategy.
“Some initiatives, such as the issuance of the Administration’s Cybersecurity Priorities for the Fiscal Year 2025 Budget, have been completed ahead of schedule,” the White House said. “Other completed activities, such as the transmittal of the May 26 Department of Defense 2023 Cyber Strategy to Congress, and the June 20 creation of a new National Security Cyber Section by the Justice Department, are key milestones in completing initiatives.”
Kolasky said that the first line of the implementation plan to catch his attention was in its introduction: “The United States Government will only succeed in implementing the National Cybersecurity Strategy through close collaboration with the private sector; civil society; state, local, Tribal, and territorial governments; international partners; and Congress. Agencies will work with interested stakeholders to implement the initiatives of this Plan and build new partnerships where possible.”
“I hope every initiative lead agency takes those words very seriously and designs processes to do so around the specific issues,” Kolasky said.
On the first pillar of defending critical infrastructure, for example, the implementation plan directs the Cybersecurity and Infrastructure Security Agency (CISA) to lead a process to update the National Cyber Incident Response Plan “to more fully realize the policy that ‘a call to one is a call to all’” and include “clear guidance to external partners on the roles and capabilities of federal agencies in incident response and recovery.”
“Also of note is that the very first initiative in the Plan is one on cyber regulatory harmonization,” Ledesma said, referencing the directive for ONCD and OMB to work with independent and executive branch regulators to sync baseline cybersecurity requirements for critical infrastructure. “I believe the administration has heard industry stakeholders on just how important regulatory harmonization is. Beyond identifying opportunities to harmonize baseline cybersecurity requirements, as the plan commits, I hope that the administration takes expeditious action to actually do so.”
“Especially as we are looking at an increasingly regulated approach to cybersecurity across critical infrastructure sectors, what we don’t want is for the regulatory burden to distract from actual risk reduction,” she added. “Clear, coordinated cybersecurity baselines across industries allow organizations to focus their security dollars on items that result in true risk reduction, not simple regulatory compliance.”
On the strategy’s second pillar of disrupting and dismantling threat actors, among other initiatives, the FBI will work with partners “to carry out disruption operations against the ransomware ecosystem, including virtual asset providers that enable laundering of ransomware proceeds,” while CISA will lead an initiative focused on offering resources such as “training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets of ransomware, like hospitals and schools, to make them less likely to be affected and to reduce the scale and duration of impacts if they are attacked.”
Advancing the third pillar of shaping market forces and driving security and resilience will include CISA continuing to lead work with key stakeholders to identify and reduce gaps in software bill of materials (SBOM) scale and implementation. The fourth pillar focused on investing in a resilient future will include the National Institute of Standards and Technology (NIST) convening the Interagency International Cybersecurity Standardization Working Group “to coordinate major issues in international cybersecurity standardization and enhance U.S. federal agency participation in the process.” NIST will also “finish standardization of one or more quantum-resistant public key cryptographic algorithms.”
The fifth pillar of advancing international partnerships to strengthen cybersecurity includes the State Department publishing an International Cyberspace and Digital Policy Strategy and working “to catalyze the development of staff knowledge and skills related to cyberspace and digital policy that can be used to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations.”
One initiative under this pillar, with NIST as the responsible agency, is to “increase trust in foreign suppliers through the promulgation and amplification of C-SCRM best practices at home and abroad through a Software Supply Chain Security National Cybersecurity Centers of Excellence Project.” Kolasky said that supply chain initiatives in the plan “are a good start” but this particular one “could use more detail and more attention.”
“I am not sure how NIST practices alone are going to meet the goal of broad critical infrastructure sector C-SCRM,” he said. “I wish the SRMAs were given clearer assignments as part of the initiative.”
A senior administration official said at the release of the strategy in March that the White House hoped to release the public implementation plan within a few months.
“Congratulations to the team at the Office of the National Cyber Director for developing and pushing this document out in record time; however, there is still a lot of work to be done. And that should include ample coordination with the private sector,” Ledesma said. “The Implementation Plan itself acknowledges that the plan’s success depends on collaboration, including with industry.”
“This was important for maintaining momentum,” Kolasky said, adding that there is “still a lot of work ahead.”