United States: White House Releases National Cybersecurity Strategy Implementation Plan

On July 13, 2023, the White House unveiled its National Cybersecurity Strategy Implementation Plan (NCSIP or implementation plan), following the release of the National Cybersecurity Strategy.

The implementation plan identifies five pillars that align with the strategy:

• Defending critical infrastructure
• Disrupting and dismantling threat actors
• Shaping market forces and driving security and resilience
• Investing in a resilient future
• Forging international partnerships to pursue shared goals

The administration identified two key motivations for the strategy and implementation plan:

• To ensure "that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk" and protecting end users from cyber threats.
• To increase "incentives to favor long-term investments into cybersecurity."

The implementation plan lays out individual initiatives, a timeline for completing certain milestones and the federal agencies responsible for each initiative.

Impact on private-sector companies

The strategy and implementation plan recognize that a successful cyber strategy will rely on coordination between, and investments by, the "public sector, private industry, civil society, and international allies and partners." As such, there are a few key takeaways and potential opportunities for private-sector companies under each pillar.

Below, we highlight some of the implementation plan initiatives relevant to the private sector.

Defending critical infrastructure

• The National Institute of Standards and Technology (NIST) will publish updates to its Cybersecurity Framework (CSF) by the first quarter of fiscal year 2025. (1.1.3)
  • Companies that comply with NIST guidance should watch for forthcoming updates and be prepared to implement changes.
• The Cybersecurity and Infrastructure Agency (CISA) will lead public-private collaborations in order to develop and drive the adoption of "secure by design" and "secure by default" technology. (1.2.1)
  • Companies – particularly software developers and technology manufacturers – may want to consider engaging with CISA and other federal agencies to assist in the development of technological standards and adoption.
• CISA will lead public-private collaboration through sectoral-sharing organizations –including Sector Coordinating Councils, Information Sharing and Analysis Centers (ISACs), and Information Sharing and Analysis Organizations (ISAOs). (1.2.4)
  • Companies that participate in ISACs or ISAOs may consider working with federal partners to help update information-sharing mechanisms and practices.
• CISA will draft rules for implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). (1.4.2)
  • Critical infrastructure companies should watch for public notice and comment periods and consider engaging in the rulemaking process to help develop incident-reporting rules and standards.

Disrupting and dismantling threat actors

• The Office of the National Cyber Director (ONCD) will work with private-sector companies to "improve operational collaboration with the goal of increasing disruption of malicious cyber actors." (2.2.1)
• The Department of Justice (DOJ) will work with other federal agencies and private-sector companies to further disrupt ransomware activities. (2.5.3)
  • Companies that experience data breaches –particularly ransomware attacks – should speak with their Cooley attorneys about potential information sharing with law enforcement and federal agencies after a data breach.

Shaping market forces and driving security and resilience

• The administration will develop an Internet of Things (IOT) labeling convention by the fourth quarter of fiscal year 2023. The new cyber trust mark program will create "tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes." (3.2.2)
  • Companies that create IOT products should consider engaging with the administration as it develops the labeling program and standards, and they should watch for the finalization and adoption regulations relating to the cyber trust mark.
• CISA will work with stakeholders to create a software bill of materials (SOBM). (3.3.2)
  • Companies involved in software development may consider engaging with CISA on the development of standards and adoption.
• CISA will build a coordinated vulnerability disclosure program among public and private entities. (3.3.3)
  • Companies should watch for development of the program and mechanisms to report vulnerabilities across sectors and technologies.
• The Office of Management and Budget will update the Federal Acquisition Regulation (FAR), which lays out rules and standards applicable to federal contractors. The new rules should reflect incident response procedures and cybersecurity contract requirements. (3.5.1)
  • Companies that currently, or may in the future, contract with the federal government may consider engaging with the FAR rulemaking process to develop the final rules, and they should watch for forthcoming changes to the FAR.

Investing in a resilient future

• The federal government will prioritize research and development to "proactively prevent and mitigate cybersecurity risks in existing and next generation technologies." (4.2.1)
  • Companies that research and develop these technologies may look for federal grant opportunities.

Forging international partnerships to pursue shared goals

• The National Telecommunications and Information Administration will begin administering a fund to start developing open, interoperable and standards-based networks. (5.5.3)
  • Companies that develop network technologies may consider applying for these grants.

What this all means

The strategy and implementation plan are just two initiatives from the administration addressing public-private cybersecurity, and we should expect to see continued guidance and progress on these initiatives. The implementation plan also has the potential to have a broad impact on cybersecurity for private companies and offers many potential touchpoints for companies to be part of crafting national solutions.

Private-sector companies should expect to see changing regulations and requirements in line with the implementation plan, as well as increased opportunities for collaboration and information sharing with federal government agencies. Additionally, as the implementation plan lays out, standards and regulations will be developed or updated, ideally with input and feedback from private-sector companies.

Companies should consider proactively engaging with federal partners to provide their expertise and help develop the standards and regulations described above. Once those standards and regulations are finalized, private-sector companies may choose to adhere to those that are voluntary (for example, the NIST guidance), while they will be required to follow certain others.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.