The White House’s Office of the National Cyber Director (NCD) today released its much-awaited marching orders to implement the National Cybersecurity Strategy (NCS) that it published in March.
On the Federal agency front, the implementation plan enlists the additional efforts of several agencies that already are doing some of the heavy lifting on many aspects of cybersecurity work and policy.
Similarly, key issues that will get more attention include some that are already well-known in policy circles – including creation of software bills of material, fighting ransomware and other cybercrime, improving incident response work, and pushing harder for international cybersecurity harmonization.
And high atop the initiatives featured in the plan released today, the NCD said it is preparing a request for information on “cybersecurity regulatory harmonization” for critical infrastructure that it plans to publish “in the near future.”
When it rolled out the NCS earlier this year, the National Cyber Director keyed on multiple focus points – including continuing efforts to improve security in already-regulated critical infrastructure sectors, a high-level goal of shifting more security responsibility onto providers of tech products and services, and a robust focus on using “all tools of national power” to go after attackers.
In the implementation plan released today, the NCD shaped its focus around two goals: “Ensuring that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk,” and “increasing incentives to favor long-term investments into cybersecurity.”
Orders to Agencies
The implementation plan features “more than 65 high-impact initiatives requiring executive visibility and interagency coordination that the Federal government will carry out to achieve the strategy’s objectives,” NCD said.
Each of the 69 initiatives has been tasked to a Federal agency, with a timeline for completion, NCD said.
Taking on many of those initiatives will be 18 Federal agencies, NCD said. Agencies making prominent showings on NCD’s initiatives list include the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Justice Department, State Department, and the Commerce Department’s National Institute of Standards and Technology (NIST).
NCD added that while the implementation plan represents a “whole of government” approach, the entire effort also will encompass Congress, state, local, Tribal, and territorial governments, the private sector, civil society, and international partners.
NCD said it will coordinate activities under the plan, and work with the Office of Management and Budget (OMB) “to ensure funding proposals in the President’s Budget Request are aligned” with the implementation plan.
NCD also pledged today that the implementation plan will be a “living document,” and will be updated annually.
Steps Already Taken
Some of the 69 tasks on the list have already been completed – including the White House’s release in June of its fiscal year 2025 cybersecurity priorities, the Defense Department’s delivery to Congress in May of its 2023 cyber strategy, and the creation in June of the Justice Department’s National Security Cyber Division.
Big To-Do List
Among the 65 initiatives listed in the plan, NCD highlighted some of the major steps in a fact sheet released by the White House today:
- CISA will lead an effort to update the National Cyber Incident Response Plan “to more fully realize the policy that ‘a call to one is a call to all.’” NCD said, and to offer “clear guidance to external partners on the roles and capabilities of Federal agencies in incident response and recovery.”
- CISA and the FBI through the existing Joint Ransomware Task Force will lead efforts to combat ransomware and other cybercrime. The FBI will work with Federal, international, and private sector partners to “carry out disruption operations against the ransomware ecosystem, including virtual asset providers that enable laundering of ransomware proceeds and web fora offering initial access credentials or other material support for ransomware activities.” At the same time, CISA will lead efforts to offer resources “such as training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets of ransomware, like hospitals and schools, to make them less likely to be affected and to reduce the scale and duration of impacts if they are attacked,” NCD said.
- CISA will continue to lead work with stakeholders on identifying and reducing “gaps in software bill of materials (SBOM) scale and implementation,” and also will “explore requirements for a globally-accessible database for end of life/end of support software and convene an international staff-level working group on SBOM.”
- NIST will “convene the Interagency International Cybersecurity Standardization Working Group to coordinate major issues in international cybersecurity standardization and enhance U.S. federal agency participation in the process,” and finish standardization of one or more quantum-resistant public key cryptographic algorithms, NCD said. “Technical standards are foundational to the Internet, and U.S. leadership in this area is essential to the vibrancy and security of cyberspace,” it said.
- The State Department will create an International Cyberspace and Digital Policy Strategy “that incorporates bilateral and multilateral activities,” and will also work to “catalyze the development of staff knowledge and skills related to cyberspace and digital policy that can be used to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations.” Cyberspace, said NCD, “is inherently global, and policy solutions must reflect close collaboration with our partners and allies.”
The full scope of directives to agencies are listed in the plan released today.