White House Announces Strategy to Set National Requirements to Secure Personal Data Consistent with NIST
On March 1, 2023, the White House announced the National Cybersecurity Strategy, a coordinated strategy to secure data with a focus on increasing cybersecurity for every company and individual within our great country. The strategy revolves around five pillars intended to build “enduring collaboration between stakeholders across our digital ecosystem” to ensure “that the underlying digital ecosystem is safe, reliable, and secure.” To increase cybersecurity on a national scale, the strategy relies on using a mix of existing legislation, such as the False Claims Act, the National Institute of Standards and Technology (NIST) Cybersecurity Framework-approved requirements for personal data security, the FTC Safeguards Rule, future legislation and agency rulemaking, and market forces, including leveraging government spending. Ultimately, the strategy will increase private companies’ responsibility for cybersecurity because “protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”
The strategy is built around five pillars: “(1) Defend Critical Infrastructure; (2) Disrupt and Dismantle Threat Actors, (3) Shape Market Forces to Drive Security and Resilience; (4) Invest in a Resilient Future; and (5) Forge International Partnerships to Pursue Shared Goals.” This post will focus on the third pillar, namely how the government may “Shape Market Forces to Drive Security and Resilience.” To this end, the government intends to “drive the development of more secure protected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.” The government also intends to create statutory liability for software companies by requiring additional security and limiting the abilities of companies to use contracts to disclaim liability.
While recognizing that market forces “remain the first, best route to agile and effective innovation,” the strategy seeks to incentivize companies to prioritize cybersecurity innovation through government actions. For example, the government plans to continue to advance the development of the “Internet of Things” (IoT) security labeling programs so that consumers of IoT goods, such as fitness trackers and baby monitors, can compare cybersecurity protections offered by different IoT products, thereby incentivizing companies to innovate on this front.
The strategy will also leverage the government’s spending power to both increase investments in cybersecurity infrastructure and ensure cybersecurity accountability among government contractors. As an example, through research and development grants, the government announced that it will work with the private sector to strengthen critical cybersecurity infrastructure. Further, federal contractors and vendors will be required to agree to contractual language that binds them to follow cybersecurity best practices. To ensure accountability for these practices, and as mentioned in our previous blog post, the Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative (CCFI) will use the False Claims Act to pursue civil actions against any company that fails to meet cybersecurity obligations within government contracts.
The strategy also indicates that the government will seek to develop new legislation and regulations to fill any existing gaps in the government’s cybersecurity authority. The government “supports legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data, like geolocation and health information.” The strategy explicitly calls for legislation to “set national requirements to secure personal data consistent with standards and guidelines developed by NIST.” In addition, the government intends to work with “the private sector to develop legislation establishing liability for software products and services. Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract and establish higher standards of care for software in specific high-risk scenarios.” To shape the standard of care for secure software development, the strategy calls for a safe harbor framework to be drawn from best practices for secure software development, “such as the NIST Secure Software Development Framework.”
Although these legislative changes may take some time to implement, compliance and enforcement of cybersecurity policies and procedures is an obvious government focus in 2023. For example, by June 2023, the FTC Safeguards Rule requires non-banking financial institutions to develop, implement, and maintain a comprehensive cybersecurity program to protect customer information. Between this announcement of the National Cybersecurity Strategy, DOJ’s previously announced CCFI, the FTC Safeguards Rule, and the numerous announcements by various other federal and state agencies regarding cybersecurity, companies — from government contractors to technology providers — are advised to monitor developments in this space to ensure compliance with laws, rules, and industry standards.