On July 13th, The White House released National Cybersecurity Strategy Implementation Plan — a roadmap for coordinating the efforts toward meeting strategic objectives set with the National Cybersecurity Strategy released in March.
This plan is not intended to be an exhaustive list of activities a Federal Agency undertakes. Instead, it is a set of “65 high-impact initiatives requiring executive visibility and interagency coordination”. The document itself is considered “first iteration” and “living” with the intention of annual updates.
The Implementation is divided into five pillars, each broken down into strategic objectives comprised of multiple initiatives. Each initiative is assigned an agency and a timeline.
The five pillars and associated objectives are:
Objectives:
Objectives:
Objectives:
Objectives:
Objectives:
The document comprises 65 initiatives, many of which have exposure to the private sector. In fact, there are twelve direct references to public-private partnerships in the document.
However, we have identified the following initiatives with the clearest implications for the private sector.
1.1.3: Increase agency use of frameworks and international standards to inform regulatory alignment
Implication: NIST to issue Cybersecurity Framework (CSF) 2.0 and provide technical assistance on the alignment of regulations with international standards
Completion Date: 1Q FY 25
1.2.1 Scale public-private partnerships to drive development and adoption of secure-by-design and secure-by-default technology
Implication: CISA, with support from NIST, will create secure-by-design and secure-by-default principles and practices and drive collective action to adopt such principles and best practices.
Completion Date: 4Q FY24
2.1.1 Publish and updated DOD Cyber Strategy
Implication: DOD will update its Cyber Strategy focusing on challenges posed by nation-states. This likely updates regulatory requirements for working with the DOD and creates projects for building new capabilities that will need private partnerships.
Completion Date: 1Q FY24
2.2.1 Identify mechanism for increased adversarial disruption through public-private operational collaboration
Implication: ONCD will work with the private sector to increase adversarial disruption capabilities. Combined with 2.1.3 and 2.1.5, this is a case for increasing adversarial disruptions' capability, tempo, and intensity.
Completion Date: 2Q FY24
2.4.1 Publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-Service (IaaS) providers and resellers
Implication: The NPR is focused on clarifying requirements for ‘exemptions’ from standards and procedures and applies to IaaS.
Completion Date: 2Q FY23
3.2.1 Implement Federal Acquisition Regulation (FAR) requirements per the Internet of Things (IoT) Cybersecurity Improvement Act of 2020
Implication: FAR changes would set up requirements for IoT devices sold to Federal agencies.
Completion Date: 4Q FY23
3.3.1 Explore approaches to develop a long-term, flexible, and enduring software liability framework
Implication: Software liability shift is one of the most feared aspects of the 2023 Cybersecurity Strategy. This initiative invites participants such as academia and regulatory bodies to explore options for implementing such a shift. At the same time, we are puzzled why it is almost a year out.
Completion Date: 2Q FY24
3.3.2 Advance software bill of materials (SBOM) and mitigate the risk of unsupported software
Implication: The initiative wants to identify and reduce SBOM scale and implementation gaps and work with the international community to help create a globally accessible end-of-life/end-of-support software database.
Completion Date: 2Q FY25
3.3.3 Coordinated vulnerability disclosure
Implication: Coordinated vulnerability disclosure is an ad-hoc practice today. CISA will work towards building support for an expectation of coordinated vulnerability disclosure among public and private entities. This likely results in a set of recommendations that the private sector can adopt.
Completion Date: 4Q FY25
3.4.3 Prioritize cybersecurity research, development, and demonstration of social, behavioral, and economic research in cybersecurity
Implication: National Science Foundation will grant awards for cybersecurity-related research.
Completion Date: 4Q FY24
3.5.1 Implement Federal Acquisition Regulation (FAR) changes required under EO 14028
Implication: This is the BIG one. FAR changes will formalize EO14028 requirements toward Federal acquisition. Therefore, the industry should actively participate in the public comments period.
Completion Date: 1Q FY24
4.1.2 Promote open-source software security and the adoption of memory-safe programming languages
Implication: Open-Source Software Security Initiatives (OS3I) will be established to promote memory-safe language adoption and raise the security baseline of the open-source software ecosystem.
Completion Date: 1Q FY24
4.1.5 Collaborate with key stakeholders to drive secure Internet routing
Implication: A roadmap to increase the adoption of secure Internet routing techniques, including challenges identification, routing, and BGP concerns, creating best practices, and identifying related research areas.
Completion Date: 3Q FY24
The White House continues demonstrating its commitment to prioritizing National Cyber Security, and the implementation is ongoing. The Implementation Plan provides an opportunity to understand the National Plan and its implication for private industry and the open source ecosystem.