October 17, 2023 By Jonathan Reed 4 min read

First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March.

The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD).

Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example, Jeff Moss, the founder of the Black Hat and DEFCON conferences, posted, “This is the first time I can remember seeing a document this high-level documenting initiatives, who is responsible for it and expected completion dates. Great job, ONCD!”

Moving from strategy to plan implementation

The National Cybersecurity Strategy outlined two main areas of emphasis for the nation’s cybersecurity. First is the need for more capable actors to bear more responsibility for cybersecurity. Second is the need to increase incentives to invest in long-term resilience.

Now, the NCSIP aims to ensure transparency and coordination among U.S. federal government agencies to bring the strategy to life. This will be a groundbreaking shift in how the government allocates roles, responsibilities and resources in cyberspace, along with incentives for long-term investments into cybersecurity.

The NCSIP outlines over 65 “high-impact” federal initiatives to carry out the National Cybersecurity Strategy. Each initiative is designated to a specific agency along with a completion deadline date. The initiatives include targeted tasks, such as proposing new legislation or updating technology systems. Overall, 18 federal agencies have been assigned different responsibilities within the plan.

Five pillars of the NCSIP

The National Cybersecurity Strategy Implementation Plan is based on five core pillars:

  • Pillar one: Defending critical infrastructure. As per the plan, CISA will lead an update of the National Cyber Incident Response Plan. The goal is to more fully realize the policy that “a call to one is a call to all.” Guidance will also be extended to external partners on the roles and capabilities of federal agencies in incident response and recovery.
  • Pillar two: Disrupting and dismantling threat actors. The FBI will work with federal, international and private sector partners to carry out disruption operations against the ransomware ecosystem. This includes virtual asset providers that enable the laundering of ransomware proceeds and web forums offering stolen credentials or other material support for malicious activities. CISA will offer training, cybersecurity services, technical assessments, pre-attack planning and incident response to high-risk targets of ransomware, like hospitals and schools.
  • Pillar three: Shaping market forces and driving security and resilience. The plan emphasizes the need to increase software transparency to enable better insight into supply chain risk and hold vendors accountable for secure development practices. CISA will promote the reduction of gaps in software bill of materials (SBOM) scale and implementation. CISA will also explore requirements for a globally-accessible database for end-of-life/end-of-support software.
  • Pillar Four: investing in a resilient future. The National Institute of Standards and Technology (NIST) will convene the Interagency International Cybersecurity Standardization Working Group to coordinate international cybersecurity standardization and enhance U.S. federal agency participation in the process. NIST will also finish the standardization of one or more quantum-resistant public key cryptographic algorithms.
  • Pillar five: Forging international partnerships to pursue shared goals. The Department of State (DOS) will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities. The DOS will also work to develop staff knowledge and skills related to cyberspace and digital policy. The goal is to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations.
Related: 2023 Threat Intelligence Index

Secure-by-design, secure-by-default

Under the first pillar of the plan (Defending critical infrastructure), CISA will lead public-private partnerships with tech companies, educators, nonprofits, academia and the open-source community to drive the development and adoption of software and hardware that is secure-by-design and secure-by-default.

Secure-by-design principles should be implemented during the design phase of a product’s development lifecycle. The goal is to significantly reduce the number of exploitable flaws before products are introduced to the market.

Secure-by-default means products are secure to use out of the box, with little to no configuration changes, and are available at no additional cost. Examples of tools include multi-factor authentication (MFA), gathering and logging evidence of potential intrusions and controlling access to sensitive information.

Threat intelligence

Under pillar two (Disrupting and dismantling threat actors), the NSC will lead a policymaking process to establish an approach for Sector Risk Management Agencies (SRMAs) to identify sector-specific intelligence needs and priorities.

Additionally, the Office of the Director of National Intelligence, in coordination with DOJ and DHS, will review policies and procedures for sharing cyber threat intelligence with critical infrastructure owners and operators. The need for expanding clearances and intelligence access will also be evaluated.

IoT labeling

Given the rapid proliferation of connected devices, IoT represents a huge security challenge. The perimeter in enterprise computing has never been larger or more liquid. IoT devices, both inside and outside corporate offices, share the same potential security risks. Meanwhile, consumer devices are far less likely to offer security features, such as regular security-enhancing firmware updates.

As per the plan, the White House will continue to work towards improved IoT cybersecurity through federal R&D, procurement and risk management efforts. And the NSC will be tasked with identifying the “broad contours” of a U.S. Government Internet of Things (IoT) security labeling program.

Federal cyber grants and insurance

The plan also mentions something many organizations worry about – how to pay for modernization to meet new security standards. To address the economic need, the Administration will seek to leverage federal grants to improve infrastructure cybersecurity. The ONCD will develop materials to clarify, facilitate and encourage the incorporation of cybersecurity equities into federal grant projects.

Along similar lines, the plan will also assess the need for a federal cyber insurance response to catastrophic events. The response would be in support of the existing cyber insurance market.

A major step forward

While there is certainly a lot of work to be done, having a clear plan makes a big difference. The National Cybersecurity Strategy Implementation Plan is a major step in the right direction to address the growing cyber threat.

More from Government

NIST’s security transformation: How to keep up

4 min read - One thing that came out of the pandemic years was a stronger push toward an organization-wide digital transformation. Working remotely forced companies to integrate digital technologies, ranging from cloud computing services to AI/ML, across business operations to allow workers to keep up high production and efficiency standards. Now that businesses and consumers have adjusted to the new normal of digital transformation, it is time to develop a security transformation strategy. Coping with the speed of change A constantly evolving tech…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why keep Cybercom and the NSA’s dual-hat arrangement?

4 min read - The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established. Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today