No Match Found
The federal government on July 13 launched the implementation plan for its National Cybersecurity Strategy, just four months after releasing the strategy document — an unheard-of pace.
The swift, decisive follow-up indicates that the administration recognizes how serious the cyber threat is to national security and critical infrastructures. There’s been an onslaught of cybersecurity incidents in the US, including the exploitation of several zero-day vulnerabilities and ransomware perpetrated by nation-state actors and cybercriminals.
The 57-page National Cybersecurity Strategy Implementation Plan (NCSIP) calls for immediate action in some cases. It enlists 18 federal agencies in a coordinated effort to put in place controls, promulgate regulations and even take offensive action against attackers, all under the leadership of the Office of the National Cyber Director (ONCD).
The strategy’s vision is for government agencies to work together and with private enterprise toward a common objective — strong and resilient economic, geopolitical and personal security.
Bringing the vision to life is not likely to be quick or easy. In our analysis, we called out three shifts to watch.
Among the 65+ initiatives in the plan, here are the ones that are most important to realizing these shifts. Be prepared to engage and share information in consultations and working groups, learn about and take advantage of new or increased government resources, and anticipate new compliance obligations.
Note that the numbering system below — for example, 3.2.2 — uses the reference numbers in the implementation plan.
The White House frames this shift as making the biggest, most capable and better-positioned entities — in both the public and private sectors — assume a greater share of the burden for mitigating cyber risk.
Initiate a security label program (3.2.2) A first step is the White House announcement on July 18 of a cybersecurity certification and labeling program to help Americans choose smart devices that are less vulnerable to cyberattacks. The “US Cyber Trust Mark” would be affixed to products that meet defined cybersecurity criteria. Already, major electronics, appliance and consumer product manufacturers as well as retailers and trade associations have made voluntary commitments to the program, which is expected to be up and running in 2024.
Explore approaches to develop a software liability framework (3.3.1) The cyber strategy recognizes the need to shield from liability those companies that securely develop and maintain their products and services. By spring 2024, the implementation plan calls for the ONCD to host a legal symposium to draw from regulatory law and computer science to come up with a framework.
Advance software bill of materials (SBOM) and mitigate the risk of unsupported software (3.3.2) The importance of securing the software ecosystem was recently underscored by the Cyber Safety Review Board’s report on Log4j. Log4j is incorporated into thousands of software components globally, and many of the nation’s critical infrastructure and government systems rely on it.
Under the implementation plan, the Cybersecurity and Infrastructure Security Agency (CISA) is to continue to work with key stakeholders to identify and reduce gaps in SBOM scale and implementation. CISA will also explore requirements for a globally-accessible database for end-of-life/end-of-support software and convene an international staff-level working group on SBOM. This needs to be completed by the spring of 2025.
Takeaway: Confirm that you have a team that’s keeping up with evolving frameworks and future compliance requirements.
Establish an initiative for cyber regulatory harmonization (1.1.1) You have an opportunity to communicate your existing challenges with regulatory overlap as the ONCD and the OMB identify opportunities to harmonize baseline cyber requirements for critical infrastructure. This fact-finding is to be completed by the end of 2023, in view of setting the requirements by the spring of 2025.
Update the National Incident Response Plan (1.4.1) “A call to one is a call to all” is the desired future operating state of an updated national incident response plan. The CISA and ONCD are to strengthen policies, procedures and systems in an updated plan by the end of calendar year 2024.
Draft legislation to codify the Cyber Safety Review Board (CSRB) (1.4.4) The 15-person CSRB is patterned after the highly effective lessons-learned model in other industries such as the National Transportation Safety Board. The Department of Homeland Security is working with the White House and Congress on a draft bill to codify the authority of the CSRB to conduct comprehensive reviews of significant incidents.
Accelerate development, standardization and adoption of foundational internet infrastructure capabilities and technologies (4.1.3, 4.3.3) CISA is to lead the Interagency International Cybersecurity Standardization Working Group to coordinate major issues in international cybersecurity standardization. The NIST is tasked with finishing standardization of one or more quantum-resistant public-key cryptographic algorithms.
Takeaway: Prepare to participate and share information on fact-finding consultations.
Counter cybercrime, defeat ransomware (2.5) A five-pronged action plan names agencies that will be responsible for various aspects, working in concert within the Joint Ransomware Task Force or other groups.
FBI to carry out disruption operations against actors in the ransomware system, including virtual asset providers that enable laundering of proceeds.
DOJ to investigate ransomware crimes and disrupt the ecosystem.
CISA to mitigate ransomware risk for high-risk targets like hospitals and schools, and offer resources like training.
State Department and Justice Department to disincentivize safe havens for ransomware criminals.
Treasury Department to develop global anti-money laundering standards for virtual asset providers.
Takeaway: Know your allies. Share information to participate constructively in the coordinated response to cyber incidents.
A lot is riding on resources behind the major implementers of the plan. The ONCD will coordinate activities, including an annual report to the president and Congress on the status of implementation. Partnering with the Office of Management and Budget (OMB), the ONCD will confirm that funding proposals in the president’s budget request are aligned with NCSIP initiatives.
The CISA is the responsible agency for implementing 10 significant actions of the 65+ initiatives in the implementation plan — raising questions about its current capacity to take these on. In addition to the responsibilities outlined above, it’s charged with scaling public-private partnership (1.2), updating the National Incident Response Plan (1.4.1), issuing the final ruling on the Cybersecurity Incident Reporting for Critical Infrastructure Act (1.4.2) and building domestic and international support for coordinated vulnerability disclosure (3.3.3).
Sector risk management agencies (SRMA) are important contributors to the setting of cyber requirements, frameworks and standards across critical infrastructure sectors. They’re tasked with helping develop secure-by-design, secure-by-default principles and standards. Uneven capabilities across the SRMAs will need to be addressed for consistent implementation.
Legislation. Aside from the draft bill on authorities for CSRB, two agencies are tasked with working with Congress on developing legislative proposals — the ONCD on establishing a liability regime for software products and services and the Justice Department on increasing the government’s capacity to disrupt and deter cybercrime. These critical initiatives may be subject to uncertainty given current congressional priorities.
More than half (37) of the initiatives need to be completed by June 2024. They’re organized along five pillars.
Note that the numbering system below uses the reference numbers in the implementation plan.
Keep refining your organization’s defense-in-depth and cyber resilience. Both the offensive and defensive sides are continually sharpening their teams, processes and techniques, as the PwC’s Cyber Threats 2022: Year in Retrospect recounts. Defense in depth plus real-time threat intelligence — it’s what consumers, employees and investors count on. Societal trust relies on it.
Strengthen your collaboration with the government and sector information-sharing centers. The implementation plan places a premium on public-private cybersecurity collaboration. A good start is joining your Information Sharing and Analysis Center (ISAC), the Cyber Collaboration Center (CCC), the Joint Cyber Defense Collaborative (JCDC) or the National Cyber-Forensics and Training Alliance (NCFTA).
If your enterprise is part of critical infrastructure, renew or nurture contacts at your SRMA and the local FBI field office. Capitalize on the integrated effort by the government to disrupt threat actor groups, be they nation-state actors or criminal groups.
Engage with regulators now. Stay abreast of new developments. Talk to regulators and engage in rulemaking or legislative processes to help your enterprise avoid being blindsided by regulations. Take an active interest if you’d like to shape the rules that could affect your company or sector.