The White House is targeting June to release its implementation plan for the National Cybersecurity Strategy (NCS) unveiled early last month, and private sector technology leaders are eager to see the Office of the National Cyber Director’s (ONCD) public strategy that aims to charge Federal agencies, the private sector, and civil society with specific cybersecurity action items.
The Biden-Harris administration’s strategy features multiple focus points including continuing efforts to improve security in already-regulated critical infrastructure sectors, a high-level goal of shifting more security responsibility onto providers of tech products and services, and a robust focus on using “all tools of national power” to go after attackers.
ONCD’s recently appointed Acting Director Kemba Walden testified before Congress in late March on her agency’s ongoing implementation efforts for the strategy, stating that “ONCD, in collaboration with OMB, are going to lead the development of this implementation plan, and in fact, we’ve already started that work.”
“This strategy is new and novel in my mind because we’ve attempted to, where appropriate, place departments and agencies responsible for certain action items. We will build that out in the implementation plan,” Walden said.
Industry Insight
Zscaler Vice President and Chief Compliance Officer Stephen Kovac, said that ONCD’s success in implementing the strategy will rely on the application of mandates across government, private, and public sectors.
“There must be concrete guidance and timelines on how we can accelerate the adoption of zero trust architecture and stop the reliance on outdated legacy systems,” Kovac said. “Additionally, we have long been proponents for leveraging public-private partnerships to tackle cybersecurity challenges – our close relationship with CISA and participation in their Joint Cyber Defense Collaborative (JCDC) is a great example of this.”
“We hope the implementation plan specifically includes best practices from agencies that are already working across the government and industry to generate ideas and foster innovation,” Kovac said.
Kynan Carver, the Defense Department cybersecurity lead at Maximus, said he hopes ONCD’s implementation plan includes investment in a resilient future.
“While the country embraces new technology, such as AI, Blockchain, and ChatGPT, it becomes necessary to develop new policies that address the exchange of information between citizens and local, state, and federal governments,” Carver said. “By creating policies that ensure greater transparency of how a citizen’s digital persona is being shared, state, local, and federal agencies can better protect this data, ensuring the privacy of citizen data.”
“The new National Cybersecurity Strategy emphasizes the need to shift the burden for cybersecurity to those best positioned to mitigate risks,” CrowdStrike VP and Counsel of Privacy and Cyber Policy Drew Bagley explained. “All too often, victims pay the true costs of certain software vendors externalizing the risks and even monetizing insecure software applications.”
“A reasonable first step in implementation of the Strategy would be for the government to lead by example in not rewarding vendors that cause harm,” Bagley said. “To this end, the government can use its own procurement power to strengthen the security posture of the technology ecosystem, incentivizing vendors to sell secure software if they want to sell to the government.”
General Dynamics Information Technology Vice President for Cyber Matt McFadden, offered up six key aspects that ONCD should consider including in its NCS implementation plan, including building strong partnerships with the private sector to serve as a “united front against adversaries.”
McFadden said he hopes the implementation plan will “prioritize the adoption of minimum cybersecurity requirements across critical infrastructure sectors to ensure national security and public safety,” “make strategic investments in research and development in areas like post-quantum encryption, digital identity solutions, and clean energy infrastructure,” and “develop a diverse and robust national cyber workforce to meet the ever-growing demand for skilled cybersecurity professionals.”
Illumio Federal Field Chief Technology Officer Gary Barlet said it’s “encouraging to see the White House making moves to roll out an implementation plan for the National Cyber Strategy.”
“However, to be effective, the implementation plan must address two things: immediate impact and accountability,” Barlet said. “I would like to see clear, actionable, and time-bound goals and objectives that provide specific direction for agencies seeking to build cyber resilience.”
“We also need big ideas in the plan, like banning ransomware payments, mandating notifications from organizations within 72 hours of a breach, or preventing companies from working with the government if they fail to validate their cyber resilience,” he continued. “In addition, the plan should enable the government to lead by example – granting vital resources, investing in the workforce, and boosting accountability with realistic and aggressive timelines.”
Nikhil Girdhar, senior director with Securiti, said that through the NCS, the government is “signaling the urgent need to revamp cybersecurity posture and highlighting the critical role that Zero Trust approaches play in safeguarding digital assets across government agencies and commercial organizations.”
“The NCS has elevated data privacy to a national-level conversation, calling for increased accountability from companies that handle personal data, Girdhar said. “This could lead to a more coordinated approach to privacy that empowers individuals to control their personal data while obliging companies to secure that data by implementing controls aligned with various standards such as NIST.”
Qmulos VP of Compliance Strategy Igor Volovich, said that the NCS outlines a vision for a more secure, resilient, and trustworthy national cyberspace, and the document empowers ONCD to go beyond the traditionally accepted mandate of governmental guidance.
“With the adoption of the NCS, ONCD gains authority to prioritize cybersecurity investments at the agency level, ensuring strategic alignment and coordination of digital resilience efforts across the Federal ecosystem,” Volovich said.
“The various programs and initiatives contained in the NCS, as important as they are individually, must be recognized as integral components of the overall strategic objective: creating a radically new model for national cyber resilience management that integrates and leverages all available resources, talents, and capabilities across organizational boundaries, all working together to deliver on the promise of a secure, trustworthy, and resilient national cyberspace, assured privacy for digital citizens, and a prosperous digital economy,” he said.