Security & risk leaders beware, the Biden administration released the next major step in its plan to implement the National Cybersecurity Strategy (NCS) on July 13, 2023. The National Cybersecurity Strategy Implementation Plan (NCSIP) includes 65 federal initiatives across 5 pillars aimed at increasing cybersecurity investment, assigning federal agencies to specific initiatives, and giving timelines for completion.
18 federal departments and agencies are tapped to lead initiatives with ONCD, CISA, NIST, DoD, DoJ, State, DHS, and the FBI getting the lion’s share of the responsibility. The Office of the National Cyber Director (ONCD) and Office of Management and Budget (OMB) will lead the administration’s efforts and make funding proposals. The plan, however, doesn’t include any funding but does reference future budget requests like the Administration Cybersecurity Priorities for the FY 2025 Budget.
The NCSIP is the implementation plan for the NCS, providing more details on the timeline, how, and what entity will be responsible for executing it. To learn more about the NCS and each initiative in-depth, read our previous blog on the announcement here.
The NCSIP is meant to do two things:
- Ensure the public and private sector address cyber risks against critical infrastructure.
- Provide incentives for those committed to long-term cybersecurity investments.
Notably, each pillar has initiatives that directly affect the private sector, encompassing any and all ‘critical infrastructure’. Use The Forrester Model to Defend Against Nation State Threats, to understand your potential liability to regulations like these and what to expect in the next several years.
Below is a quick overview of each pillar along with its key initiatives. Each key initiative indicates whether the private sector or federal government will be responsible or affected.
Pillar One establishes regulations, standards, and directives to support the defense of critical infrastructure – it’s where regulations meet critical infrastructure providers in the public and private sector. It focuses on baseline standards for critical infrastructure, creating a method to provide updates and information to critical infrastructure providers, and modernizing federal cybersecurity infrastructure through tabletop exercises, unification of Federal Cyber Centers, and the modernization of the Federal Civilian Executive Branch.
Pillar Two is as close to ‘hack back’ as we will likely get – coordinating the disruption of cyberattacks through as many means as possible by the federal government. It includes takedown campaigns, ransomware disruption, legislation, proposals for regulations on IaaS providers, international relations, and updates to international standards.
Pillar three continues the government’s emphasis on securing the software supply chain by advancing SBOM requirements, initiating IoT labeling, and establishing standards for coordinated vulnerability disclosure. For more on software bill of materials, check out Janet Worthington’s report, Prepare For Regulatory Requirements On Software Bills Of Materials.
Pillar Four looks to the future – securing the Internet and the workforce against emerging technologies. It focuses on improving the security of the internet, transitioning to more secure technologies like memory-safe programming languages and quantum-resistant cryptography-based environments, and enabling initiatives like secure-by-design and engineering training to blossom.
Pillar Five focuses on enhancing cybersecurity capabilities, standards, and assistance with US allies and partners to secure cyberspace. With its international partnerships, the US government will build cyber coalitions and capacity, strengthen law enforcement, hold states accountable, expand foreign assistance for incident response, and promote secure supply chains for information and communications technologies (ICT).
The NCS and NCSIP have the potential to bolster the United States’ cyber resilience. This leadership at the national level has been long needed given the fractured nature of US cyberdefense and the reliance on private sector entities to defend themselves against nation-state actors.
While these are positive steps, these initiatives will push additional regulation to the private sector, especially critical infrastructure. Security & risk leaders will have to plan for and adapt to these changes as they are introduced.
Stay tuned for additional blogs and research as the NCS moves forward. Forrester clients can schedule an inquiry or guidance session to discuss any of the topics mentioned in this blog and how they may impact them.
We’re excited to announce that we’re accepting entries for The Security & Risk Enterprise Leadership Award! This is an excellent opportunity to showcase how your organization builds trust and gain recognition for your efforts. We can’t wait to see how you have transformed security, privacy, and risk management to drive trusted relationships with customers, employees, and partners to fuel your organization’s long-term success.
The deadline for submissions is Friday, August 11, 2023. To view complete award nomination criteria and submit an entry, visit here.
