White House Releases National Cybersecurity Strategy Implementation Plan
Friday, July 14, 2023
Cybersecurity Implementation Plan
Print Mail Download i

On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.

Pillar One: Defend Critical Infrastructure

The first pillar of the Implementation Plan focuses on initiatives aimed at supporting national security and public safety. It includes a National Security Council (NSC) initiative to establish cybersecurity requirements across critical infrastructure sectors, a National Institute of Standards and Technology (NIST) initiative to increase agency use of frameworks and international standards (such as the NIST Cybersecurity Framework (CSF)), and a Cybersecurity and Infrastructure Security Agency (CISA) initiative to scale public private partnerships. Notably, it also includes a CISA initiative to issue a final rule under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). As we have previously written, CIRCIA directs CISA to publish a notice of proposed rulemaking within 24 months of the date of the enactment of CIRCIA, and that a final rule should be issued no later than 18 months after publication of the proposed rulemaking. Under the Implementation Plan this should be completed by September 30, 2025.

Pillar Two: Disrupt and Dismantle Threat Actors

The second pillar of the implementation plan lists a number of legislative and regulatory initiatives, with short deadlines, aimed at addressing and preventing cybercrime. These include an initiative for the Department of Defense (DOD) to publish an updated cyber strategy by first quarter of fiscal year 2024 (1Q FY24) (i.e., October 1 – December 31, 2023); a Department of Justice (DOJ) initiative to work with interagency partners to propose legislation to disrupt and deter cybercrime by 4Q FY23 (i.e., July 1- Sept. 30, 2023); and a Department of Commerce initiative to publish a Notice of Proposed Rulemaking on requirements standards and procedures for Infrastructure-as-a-Service (IaaS) providers and resellers also by 4Q FY23. (The federal fiscal year runs October 1 – September 30.)

Pillar Three: Shape Market Forces to Drive Security and Resilience

Perhaps most significantly, the third pillar includes a strategic objective to “shift liability for insecure software products and services” with a directive for the Office of the National Cyber Director (ONCD) to host a symposium to “explore approaches to develop a long-term flexible and enduring software liability framework.” As stated in the Implementation Plan, “to begin to shape standards of care for secure software development,” the Administration will “drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” The completion date for this initiative is 2Q FY24.

Other Pillar Three strategic security objectives and initiatives include:

  • Driving the Development of Secure IoT Devices. This strategic objective includes an initiative for the Office of Management and Budget (OMB) to implement Federal Acquisition Regulation (FAR) requirements in line with the Internet of Things Cybersecurity Improvement Act of 2020, which we have written about here. The completion date is 4Q FY23.

  • Leveraging the False Claims Act to Improve Vendor Cybersecurity. Under this initiative the DOJ will expand efforts to “identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants[.]” The strategy notes that the Civil Cyber Fraud Initiative (CCFI), using DOJ authorities under the False Claims Act, can pursue civil actions against government grantees and contractors “who fail to meet cybersecurity obligations,” such as by “providing deficient cybersecurity products, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.”  The completion date is 4Q FY25.

  • Exploring a Federal Cyber Insurance Backstop. Under this initiative by the Department of Treasury’s Federal Insurance Office, in coordination with CISA and ONCD, will “assess the need for a Federal insurance response to catastrophic cyber events” that would “support the existing cyber insurance market.” The completion date is 1QFY24.

Pillar Four: Invest in a Resilient Future

A notable strategic objective of the fourth pillar is to “secure the technical foundation of the Internet.” The initiatives under Pillar Four include an OMB initiative to lead the adoption of network security best practices including prioritizing encryption of Domain Name System (DNS) requests, with a completion date of 2Q FY24. (We have previously written about vulnerabilities in software and firmware implementing DNS to protect against damaging data loss and insider threat.) The pillar also includes an ONCD initiative to promote the adoption of “memory safe programming languages” through the Open-Source Software Security Initiative (OS3I) (completion date 1Q FY24), and a NIST initiative to address Border Gateway Protocol (BGP) and IPv6 security gaps through international standards (completion date 2Q FY24). The ONCD will also lead an initiative to develop a National Cyber Workforce and Education Strategy (completion date 2Q FY24).

Pillar Five: Forge International Partnerships to Pursue Shared Goals

The fifth pillar in the Implementation Plan includes strategic objectives to publish an International Cyberspace and Digital Policy Strategy, expand international partners’ cyber capacity through operational law enforcement collaboration, and establish flexible foreign assistance mechanisms to provide cyber incident response support quickly. It also includes an initiative by the DOD, DOJ, and FBI, to “hold irresponsible states accountable when they fail to uphold their commitments.”

Wide Ranging Initiatives

The Implementation Plan includes more than 65 initiatives, only some of which are highlighted in this post. While the Implementation Plan does not currently create any new or binding requirements on businesses, it provides a helpful roadmap to understand the federal government’s cybersecurity priorities, and agency timelines for completing specific legislative proposals and rulemaking, and enforcement policies all with significant business impact on cybersecurity. Organizations impacted by these initiatives, including financial services, energy, health, and software and technology providers, should assess the impact of the Plan on their cybersecurity operations, particularly as it pertains to regulatory compliance and any potential safe harbor. EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and to identify recognized security practices that may bolster practical security and improve compliance defensibility.

©2024 Epstein Becker & Green, P.C. All rights reserved.

Current Legal Analysis

More from Epstein Becker & Green, P.C.

U.S. Department of Labor Issues Final Overtime Rule Raising Salary Thresholds
by: Jeffrey H. Ruzal , Alexandria (Alex) Adkins
Medical Clinic’s Use of NDAs to Suppress Negative Online Reviews Violates Federal Consumer Review Fairness Act, Washington Federal Judge Finds
by: Eric J. Neiman
Chamber of Commerce and Others Swiftly File Lawsuits Seeking to Enjoin and Vacate the FTC’s Noncompete Rule
by: Daniel R. Levy , Erik W. Weibust
The FTC Finally Pulls the Trigger on a Final Noncompete Rule, with a Few Changes, but Remains Unlikely to Ever Hit Its Target
by: Erik W. Weibust , Peter A. Steinmeyer
Employment Law This Week Episode 343 - SCOTUS Expands Title VII, EEOC’s Final PWFA Rule, AI Screening Tools [Video, Podcast]
by: George Carroll Whipple, III
EEOC Final Rule Implementing the Pregnant Workers Fairness Act
by: Jennifer Stefanick Barna , Marguerite (Maggie) McGowan Stringer
Interested in Opening a Medical Spa? Here’s What You Need to Know
by: John W. Eriksen , Nivedita B. Patel
Five Commissioners and a Vote on Noncompetes to Come
by: E. John Steren , Patricia M. Wagner
U.S. Judicial Conference Aims to Curb "Judge Shopping": New Guidance Promoting Random Civil Case Assignments
by: Lori A. Medley , Scarlett L. Freeman
FTC Vote on Rule to Ban Non-Competes Scheduled for April 23rd
by: Mark L. Daniels

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins