National Cybersecurity Strategy Implementation Plan & Implications

A roadmap for coordinating the efforts toward meeting strategic objectives set with the National Cybersecurity Strategy.
Interlynk
July 14, 2023

On July 13th, The White House released National Cybersecurity Strategy Implementation Plan — a roadmap for coordinating the efforts toward meeting strategic objectives set with the National Cybersecurity Strategy released in March.

This plan is not intended to be an exhaustive list of activities a Federal Agency undertakes. Instead, it is a set of “65 high-impact initiatives requiring executive visibility and interagency coordination”. The document itself is considered “first iteration” and “living” with the intention of annual updates.

The Implementation is divided into five pillars, each broken down into strategic objectives comprised of multiple initiatives. Each initiative is assigned an agency and a timeline.

Implementation Objectives

The five pillars and associated objectives are:

Pillar One: Defend Critical Infrastructure

Objectives:

  • 1.1 Establish Cybersecurity Requirements to Support National Security and Public Safety
  • 1.2 Scale Public-Private Collaboration
  • 1.3 Integrate Federal Cybersecurity Centers
  • 1.4 Update Federal Incident Response Plan and Processes
  • 1.5 Modernize Federal Defenses

Pillar Two: Disrupt and Dismantle Threat Actors

Objectives:

  • 2.1 Integrate Federal Disruption Activities
  • 2.2 Enhance Public-Private Operational Collaboration to Disrupt Adversaries
  • 2.3 Increase the Speed and Scale of Intelligence Sharing and Victim Notification
  • 2.4 Prevent Abuse of U.S.-Based Infrastructure
  • 2.5 Counter Cybercrime, Defeat Ransomware

Pillar Three: Shape Market Forces to Drive Security and Resilience

Objectives:

  • 3.1 [None specified]
  • 3.2 Drive the Development of Secure IoT Devices
  • 3.3 Shift Liability for Insecure Software Products and Services
  • 3.4 Use Federal Grants and Other Incentives to Build in Security
  • 3.5 Leverage Federal Procurement to Improve Accountability
  • 3.6 Explore a Federal Cyber Insurance

Pillar Four: Invest in A Resilient Future

Objectives:

  • 4.1 Secure The Technical Foundation of the Internet
  • 4.2 Reinvigorate Federal Research and Development for Cybersecurity
  • 4.3 Prepare for Our Post-Quantum Future
  • 4.4 Secure Our Clean Energy Future
  • 4.5 [None Specified]
  • 4. 6 Develop a National Strategy to Strengthen Our Cyber Workforce

Pillar Five: Forge International Partnerships to Pursue Shared Goals

Objectives:

  • 5.1 Build Coalitions to Counter Threats to Our Digital Ecosystem
  • 5.2 Strengthen International Partner Capacity
  • 5.3 Expand U.S. Ability to Assist Allies and Partners
  • 5.4 Build Coalitions to Reinforce Global Norms of Responsible State Behavior
  • 5.5 Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services

Implications Timeline

The document comprises 65 initiatives, many of which have exposure to the private sector. In fact, there are twelve direct references to public-private partnerships in the document.

However, we have identified the following initiatives with the clearest implications for the private sector.

4Q 23

  • 2.4.1: Publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-service (IaaS) providers and resellers
  • 3.2.1: Implement Federal Acquisition Regulation (FAR) requirements per the Internet of Things (IoT) Cybersecurity Improvement Act of 2020
  • 3.2.2: Initiate a U.S. Government IoT security labeling program
  • 5.5.3: Begin administering the Public Wireless Supply Chain Innovation Fund (PWSCIF)

1Q FY24

  • 2.1.1 Publish an updated Cyber Strategy
  • 3.5.1 Implement Federal Acquisition Regulation (FAR) changes required under EO 14028
  • 4.1.2 Promote open-source software security and the adoption of memory safe programming languages
  • 4.2.1 Accelerate maturity, adoption, and security of memory safe programming languages
  • 4.4.1 Drive adoption of cyber secure-by-design principles by incorporating them into Federal projects

2Q FY24

  • 2.2.1 Identify mechanisms for increased adversarial disruption through public-private operational collaboration
  • 3.3.1 Explore approaches to develop a long-term, flexible, and enduring software liability framework

3Q FY24

  • 4.1.5 Collaborate with key stakeholders to drive secure Internet routing

4Q FY24

  • 1.2.1 Scale public-private partnerships to drive development and adoption of secure-by-design and secure-by-default technology
  • 3.4.3 Prioritize cybersecurity research, development, and demonstration of social, behavioral, and economic research in cybersecurity

1Q FY25

  • 1.1.3 Increase agency use of frameworks and international standards to inform regulatory alignment

2Q FY25

  • 3.3.2 Advance software bill of materials (SBOM) and mitigate the risk of unsupported software

4Q FY25

  • 3.3.3 Coordinated vulnerability disclosure

Implication Details

1.1.3: Increase agency use of frameworks and international standards to inform regulatory alignment

Implication: NIST to issue Cybersecurity Framework (CSF) 2.0 and provide technical assistance on the alignment of regulations with international standards

Completion Date: 1Q FY 25

1.2.1 Scale public-private partnerships to drive development and adoption of secure-by-design and secure-by-default technology

Implication: CISA, with support from NIST, will create secure-by-design and secure-by-default principles and practices and drive collective action to adopt such principles and best practices.

Completion Date: 4Q FY24

2.1.1 Publish and updated DOD Cyber Strategy

Implication: DOD will update its Cyber Strategy focusing on challenges posed by nation-states. This likely updates regulatory requirements for working with the DOD and creates projects for building new capabilities that will need private partnerships.

Completion Date: 1Q FY24

2.2.1 Identify mechanism for increased adversarial disruption through public-private operational collaboration

Implication: ONCD will work with the private sector to increase adversarial disruption capabilities. Combined with 2.1.3 and 2.1.5, this is a case for increasing adversarial disruptions' capability, tempo, and intensity.

Completion Date: 2Q FY24

2.4.1 Publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-Service (IaaS) providers and resellers

Implication: The NPR is focused on clarifying requirements for ‘exemptions’ from standards and procedures and applies to IaaS.

Completion Date: 2Q FY23

3.2.1 Implement Federal Acquisition Regulation (FAR) requirements per the Internet of Things (IoT) Cybersecurity Improvement Act of 2020

Implication: FAR changes would set up requirements for IoT devices sold to Federal agencies.

Completion Date: 4Q FY23

3.3.1 Explore approaches to develop a long-term, flexible, and enduring software liability framework

Implication: Software liability shift is one of the most feared aspects of the 2023 Cybersecurity Strategy. This initiative invites participants such as academia and regulatory bodies to explore options for implementing such a shift. At the same time, we are puzzled why it is almost a year out.

Completion Date: 2Q FY24

3.3.2 Advance software bill of materials (SBOM) and mitigate the risk of unsupported software

Implication: The initiative wants to identify and reduce SBOM scale and implementation gaps and work with the international community to help create a globally accessible end-of-life/end-of-support software database.

Completion Date: 2Q FY25

3.3.3 Coordinated vulnerability disclosure

Implication: Coordinated vulnerability disclosure is an ad-hoc practice today. CISA will work towards building support for an expectation of coordinated vulnerability disclosure among public and private entities. This likely results in a set of recommendations that the private sector can adopt.

Completion Date: 4Q FY25

3.4.3 Prioritize cybersecurity research, development, and demonstration of social, behavioral, and economic research in cybersecurity

Implication: National Science Foundation will grant awards for cybersecurity-related research.

Completion Date: 4Q FY24

3.5.1 Implement Federal Acquisition Regulation (FAR) changes required under EO 14028

Implication: This is the BIG one. FAR changes will formalize EO14028 requirements toward Federal acquisition. Therefore, the industry should actively participate in the public comments period.

Completion Date: 1Q FY24

4.1.2 Promote open-source software security and the adoption of memory-safe programming languages

Implication: Open-Source Software Security Initiatives (OS3I) will be established to promote memory-safe language adoption and raise the security baseline of the open-source software ecosystem.

Completion Date: 1Q FY24

4.1.5 Collaborate with key stakeholders to drive secure Internet routing

Implication: A roadmap to increase the adoption of secure Internet routing techniques, including challenges identification, routing, and BGP concerns, creating best practices, and identifying related research areas.

Completion Date: 3Q FY24

Conclusion

The White House continues demonstrating its commitment to prioritizing National Cyber Security, and the implementation is ongoing. The Implementation Plan provides an opportunity to understand the National Plan and its implication for private industry and the open source ecosystem.