White House prescribes 69-point National Cybersecurity Strategy Implementation Plan

The U.S. administration announced Thursday a roadmap called the National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and continued path for coordination to realize its March National Cybersecurity Strategy. The plan details over 65 high-impact federal initiatives, from protecting American jobs by combating cybercrimes to building a skilled cyber workforce equipped to excel in an increasingly digital economy.

The NCSIP outlines that these high-impact initiatives require executive visibility and interagency coordination that the Federal government will carry out to achieve the Strategy’s objectives. Each initiative is assigned to a responsible agency and is associated with a timeline for completion. Some of these initiatives are already underway and will be completed by the end of Fiscal Year 2023. The NCSIP, along with the Bipartisan Infrastructure Law, CHIPS and Science Act, Inflation Reduction Act, and other major administration initiatives, will protect investments in infrastructure, clean energy, technology, and manufacturing.

“This is the first iteration of the Implementation Plan, which is a living document that will be updated annually. Initiatives will be added as the evolving cyber landscape demands and removed after completion,” the document said. “The Office of the National Cyber Director will coordinate this work and report to the President and to Congress on the status of implementation. The United States Government will only succeed in implementing the National Cybersecurity Strategy through close collaboration with the private sector; civil society; state, local, Tribal, and territorial governments; international partners; and Congress.” 

It added that agencies will work with interested stakeholders to implement the initiatives of this Plan and build new partnerships where possible. “The Administration will continue to refine Implementation Plan initiatives based on stakeholder feedback and assessments of their effectiveness.”

The National Cybersecurity Strategy sought to build and enhance collaboration around five pillars – Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals. The strategy calls for two fundamental shifts in how the U.S. allocates roles, responsibilities, and resources in cyberspace. These include ensuring that the biggest, most capable, and best-positioned entities in the public and private sectors assume a greater share of the burden for mitigating cyber risk, and increasing incentives to favor long-term investments in cybersecurity.

Addressing Pillar One to defend critical infrastructure, the NCSIP will establish cybersecurity requirements to support national security and public safety. The plan seeks to do this by establishing an initiative on cyber regulatory harmonization, setting cybersecurity requirements across critical infrastructure sectors, and increasing agency use of frameworks and international standards to inform regulatory alignment. 

It also looks at scaling public-private collaboration by scaling public-private partnerships to drive the development and adoption of secure-by-design and secure-by-default technology and provide recommendations for the designation of critical infrastructure sectors and SRMAs (Sector Risk Management Agencies). It also looks into evaluating how the CISA (Cybersecurity and Infrastructure Security Agency) can leverage existing reporting mechanisms or the potential creation of a single portal to integrate and operationalize SRMAs, sector-specific systems, and processes. The plan also proposes investigating opportunities for new and improved information-sharing and collaboration platforms, processes, and mechanisms; and establishing an SRMA support capability. 

The NCSIP integrates federal cybersecurity centers to assess and improve Federal Cybersecurity Centers’ and related cyber centers’ capabilities and plans necessary for collaboration at speed and scale. It also updates federal incident response plans and processes by issuing the final Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule, developing exercise scenarios to improve cyber incident response, and drafting legislation to codify the Cyber Safety Review Board (CSRB) with the required authorities.

The NCSIP also modernizes federal defenses by securing unclassified Federal Civilian Executive Branch (FCEB) systems; modernizing FCEB technology; and securing National Security Systems (NSS) at FCEB agencies. 

When it comes to the National Cybersecurity Strategy’s Pillar Two of ‘Disrupt and Dismantle Threat Actors,’ the NCSIP has sought to integrate federal disruption activities by publishing an updated DOD Cyber Strategy; strengthening the National Cyber Investigative Joint Task Force (NCIJTF) capacity; expanding organizational platforms dedicated to disruption campaigns; proposing legislation to disrupt and deter cybercrime and cyber-enabled crime; and increasing speed and scale of disruption operations. 

The NCSIP will also enhance public-private operational collaboration to disrupt adversaries by identifying mechanisms for increased adversarial disruption through public-private operational collaboration. It also looks at increasing the speed and scale of intelligence sharing and victim notification by identifying and operationalizing sector-specific intelligence needs and priorities and removing barriers to delivering cyber threat intelligence and data to critical infrastructure owners and operators.

The plan also seeks to prevent abuse of U.S.-based infrastructure. The Department of Commerce will publish a Notice of Proposed Rulemaking (NOPR) implementing EO 13984 that lays out requirements for IaaS providers and resellers as well as standards and procedures for determining what risk-based prevention approach is sufficient to qualify for an exemption. 

The NCSIP will also counter cybercrime and defeat ransomware by disincentivizing safe havens for ransomware criminals, disrupting ransomware crimes, investigating ransomware crimes and disrupting the ransomware ecosystem; and supporting private sector and state, local, Tribal, and territorial (SLTT) efforts to mitigate ransomware risk. It also looks to support other countries’ efforts to adopt and implement the global anti-money laundering/countering the financing of terrorism (AML/CFT) standards for virtual asset service providers. 

Working on Pillar Three ‘Shape Market Forces to Drive Security and Resilience,’ the NCSIP looks at driving the development of secure IoT devices by implementing Federal Acquisition Regulation (FAR) requirements per the Internet of Things (IoT) Cybersecurity Improvement Act of 2020; and initiating a U.S. government IoT security labeling program. It also looks to shift liability for insecure software products and services by exploring approaches to develop a long-term, flexible, and enduring software liability framework, advancing software bill of materials (SBOM) and mitigating the risk of unsupported software; and coordinated vulnerability disclosure. 

The plan will also use federal grants and other incentives to build in security to improve infrastructure cybersecurity; prioritize funding for cybersecurity research; and prioritize cybersecurity research, development, and demonstration on social, behavioral, and economic research in cybersecurity. It also looks into leveraging federal procurement to improve accountability by implementing FAR changes required under EO14028 and leverages the False Claims Act to improve vendor cybersecurity. The plan also looks at exploring a Federal Cyber Insurance Backstop by assessing the need for a federal insurance response to a catastrophic cyber event. 

Moving over to PIllar Four of the National Cybersecurity Strategy that focuses on ‘Invest in A Resilient Future,’ the NCSIP looks to secure the technical foundation of the Internet. It looks at doing this by leading the adoption of network security best practices, promoting open-source software security and the adoption of memory-safe programming languages, and accelerating the development, standardization, and adoption of foundational Internet infrastructure capabilities and technologies. It also seeks to accelerate the development and standardization and support the adoption of foundational internet infrastructure capabilities and technologies, while collaborating with key stakeholders to drive secure Internet routing. 
The plan also seeks to reinvigorate federal research and development for cybersecurity, by accelerating the maturity, adoption, and security of memory-safe programming languages. It also looks into the nation’s post-quantum future by implementing National Security Memorandum-10 for National Security Systems (NSS) and standardizing and supporting the transition to post-quantum cryptographic algorithms.

The NCSIP will also drive the adoption of cyber secure-by-design principles by incorporating them into federal projects; develop a plan to ensure the digital ecosystem can support and deliver the government’s decarbonization goals; and build and refine training, tools, and support for engineers and technicians using cyber-informed engineering principles. The plan also works on developing a National Strategy to strengthen the nation’s cyber workforce, publishing a National Cyber Workforce and Education Strategy, and tracking its implementation.

Addressing Pillar Five to ‘Forge International Partnerships to Pursue Shared Goals,’ the NCSIP aims to build coalitions to counter threats to the digital ecosystem by creating interagency teams for regional cyber collaboration and coordination, publishing an International Cyberspace and Digital Policy Strategy, strengthening federal law enforcement collaboration mechanisms with allies and partners, and regional cyber hubs study. 

The plan also looks towards strengthening international partners’ cyber capacity and expanding international partners’ cyber capacity through operational law enforcement collaboration. It also looks to expand the nation’s ability to assist allies and partners to establish flexible foreign assistance mechanisms to provide cyber incident response support quickly. It also looks to build coalitions to reinforce global norms of responsible state behavior and hold irresponsible states accountable when they fail to uphold their commitments.

The NCSIP also works to secure global supply chains for information, communications, and OT (Operational Technology) products and services that promote the development of secure and trustworthy information and communication technology (ICT) networks and services. It also works to promote a more diverse and resilient supply chain of ICT vendors, begin administering the Public Wireless Supply Chain Innovation Fund (PWSCIF), and promulgate and amplify Cybersecurity Supply Chain Risk Management (C-SCRM) key practices across and within critical infrastructure sectors. 

A Fact Sheet released Thursday by the Biden-Harris administration identified that 18 agencies are leading initiatives in this whole-of-government plan demonstrating the Administration’s deep commitment to a more resilient, equitable, and defensible cyberspace. 

The Office of the National Cyber Director (ONCD) will coordinate activities under the plan, including an annual report to the President and Congress on the status of implementation, and partner with the Office of Management and Budget (OMB) to ensure funding proposals in the President’s Budget Request are aligned with NCSIP initiatives, the document said. 

It added that the U.S. administration looks forward to implementing this plan in continued collaboration with the private sector, civil society, international partners, Congress, and state, local, Tribal, and territorial governments. “As an example of the Administration’s commitment to public-private collaboration, ONCD is also working on a request for information regarding cybersecurity regulatory harmonization that will be published in the near future.”

Last month, a memorandum was issued to department and agency heads, outlining the Biden administration’s cross-agency cybersecurity investment priorities for the formulation of the fiscal year (FY) 2025 Budget submissions to OMB, consistent with spring guidance. Additionally, guidance on cybersecurity research and development priorities will be released in a separate memorandum.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.