On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.
Pillar One: Defend Critical Infrastructure
The first pillar of the Implementation Plan focuses on initiatives aimed at supporting national security and public safety. It includes a National Security Council (NSC) initiative to establish cybersecurity requirements across critical infrastructure sectors, a National Institute of Standards and Technology (NIST) initiative to increase agency use of frameworks and international standards (such as the NIST Cybersecurity Framework (CSF)), and a Cybersecurity and Infrastructure Security Agency (CISA) initiative to scale public private partnerships. Notably, it also includes a CISA initiative to issue a final rule under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). As we have previously written, CIRCIA directs CISA to publish a notice of proposed rulemaking within 24 months of the date of the enactment of CIRCIA, and that a final rule should be issued no later than 18 months after publication of the proposed rulemaking. Under the Implementation Plan this should be completed by September 30, 2025.
Pillar Two: Disrupt and Dismantle Threat Actors
The second pillar of the implementation plan lists a number of legislative and regulatory initiatives, with short deadlines, aimed at addressing and preventing cybercrime. These include an initiative for the Department of Defense (DOD) to publish an updated cyber strategy by first quarter of fiscal year 2024 (1Q FY24) (i.e., October 1 – December 31, 2023); a Department of Justice (DOJ) initiative to work with interagency partners to propose legislation to disrupt and deter cybercrime by 4Q FY23 (i.e., July 1- Sept. 30, 2023); and a Department of Commerce initiative to publish a Notice of Proposed Rulemaking on requirements standards and procedures for Infrastructure-as-a-Service (IaaS) providers and resellers also by 4Q FY23. (The federal fiscal year runs October 1 – September 30.)
Pillar Three: Shape Market Forces to Drive Security And Resilience
Perhaps most significantly, the third pillar includes a strategic objective to “shift liability for insecure software products and services” with a directive for the Office of the National Cyber Director (ONCD) to host a symposium to “explore approaches to develop a long-term flexible and enduring software liability framework.” As stated in the Implementation Plan, “to begin to shape standards of care for secure software development,” the Administration will “drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” The completion date for this initiative is 2Q FY24.
Other Pillar Three strategic security objectives and initiatives include:
- Driving the Development of Secure IoT Devices. This strategic objective includes an initiative for the Office of Management and Budget (OMB) to implement Federal Acquisition Regulation (FAR) requirements in line with the Internet of Things Cybersecurity Improvement Act of 2020, which we have written about here. The completion date is 4Q FY23.
- Leveraging the False Claims Act to Improve Vendor Cybersecurity. Under this initiative the DOJ will expand efforts to “identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants[.]” The strategy notes that the Civil Cyber Fraud Initiative (CCFI), using DOJ authorities under the False Claims Act, can pursue civil actions against government grantees and contractors “who fail to meet cybersecurity obligations,” such as by “providing deficient cybersecurity products, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.” The completion date is 4Q FY25.
- Exploring a Federal Cyber Insurance Backstop. Under this initiative by the Department of Treasury’s Federal Insurance Office, in coordination with CISA and ONCD, will “assess the need for a Federal insurance response to catastrophic cyber events” that would “support the existing cyber insurance market.” The completion date is 1QFY24.
Pillar Four: Invest in a Resilient Future
A notable strategic objective of the fourth pillar is to “secure the technical foundation of the Internet.” The initiatives under Pillar Four include an OMB initiative to lead the adoption of network security best practices including prioritizing encryption of Domain Name System (DNS) requests, with a completion date of 2Q FY24. (We have previously written about vulnerabilities in software and firmware implementing DNS to protect against damaging data loss and insider threat.) The pillar also includes an ONCD initiative to promote the adoption of “memory safe programming languages” through the Open-Source Software Security Initiative (OS3I) (completion date 1Q FY24), and a NIST initiative to address Border Gateway Protocol (BGP) and IPv6 security gaps through international standards (completion date 2Q FY24). The ONCD will also lead an initiative to develop a National Cyber Workforce and Education Strategy (completion date 2Q FY24).
Pillar Five: Forge International Partnerships to Pursue Shared Goals
The fifth pillar in the Implementation Plan includes strategic objectives to publish an International Cyberspace and Digital Policy Strategy, expand international partners’ cyber capacity through operational law enforcement collaboration, and establish flexible foreign assistance mechanisms to provide cyber incident response support quickly. It also includes an initiative by the DOD, DOJ, and FBI, to “hold irresponsible states accountable when they fail to uphold their commitments.”
Wide Ranging Initiatives
The Implementation Plan includes more than 65 initiatives, only some of which are highlighted in this post. While the Implementation Plan does not currently create any new or binding requirements on businesses, it provides a helpful roadmap to understand the federal government’s cybersecurity priorities, and agency timelines for completing specific legislative proposals and rulemaking, and enforcement policies all with significant business impact on cybersecurity. Organizations impacted by these initiatives, including financial services, energy, health, and software and technology providers, should assess the impact of the Plan on their cybersecurity operations, particularly as it pertains to regulatory compliance and any potential safe harbor. EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and to identify recognized security practices that may bolster practical security and improve compliance defensibility.
- Member of the Firm
- Senior Counsel