First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March.

The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD).

Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example, Jeff Moss, the founder of the Black Hat and DEFCON conferences, posted, “This is the first time I can remember seeing a document this high-level documenting initiatives, who is responsible for it and expected completion dates. Great job, ONCD!”

Moving from strategy to plan implementation

The National Cybersecurity Strategy outlined two main areas of emphasis for the nation’s cybersecurity. First is the need for more capable actors to bear more responsibility for cybersecurity. Second is the need to increase incentives to invest in long-term resilience.

Now, the NCSIP aims to ensure transparency and coordination among U.S. federal government agencies to bring the strategy to life. This will be a groundbreaking shift in how the government allocates roles, responsibilities and resources in cyberspace, along with incentives for long-term investments into cybersecurity.

The NCSIP outlines over 65 “high-impact” federal initiatives to carry out the National Cybersecurity Strategy. Each initiative is designated to a specific agency along with a completion deadline date. The initiatives include targeted tasks, such as proposing new legislation or updating technology systems. Overall, 18 federal agencies have been assigned different responsibilities within the plan.

Five pillars of the NCSIP

The National Cybersecurity Strategy Implementation Plan is based on five core pillars:

• Pillar one: Defending critical infrastructure. As per the plan, CISA will lead an update of the National Cyber Incident Response Plan. The goal is to more fully realize the policy that “a call to one is a call to all.” Guidance will also be extended to external partners on the roles and capabilities of federal agencies in incident response and recovery.
• Pillar two: Disrupting and dismantling threat actors. The FBI will work with federal, international and private sector partners to carry out disruption operations against the ransomware ecosystem. This includes virtual asset providers that enable the laundering of ransomware proceeds and web forums offering stolen credentials or other material support for malicious activities. CISA will offer training, cybersecurity services, technical assessments, pre-attack planning and incident response to high-risk targets of ransomware, like hospitals and schools.
• Pillar three: Shaping market forces and driving security and resilience. The plan emphasizes the need to increase software transparency to enable better insight into supply chain risk and hold vendors accountable for secure development practices. CISA will promote the reduction of gaps in software bill of materials (SBOM) scale and implementation. CISA will also explore requirements for a globally-accessible database for end-of-life/end-of-support software.
• Pillar Four: investing in a resilient future. The National Institute of Standards and Technology (NIST) will convene the Interagency International Cybersecurity Standardization Working Group to coordinate international cybersecurity standardization and enhance U.S. federal agency participation in the process. NIST will also finish the standardization of one or more quantum-resistant public key cryptographic algorithms.
• Pillar five: Forging international partnerships to pursue shared goals. The Department of State (DOS) will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities. The DOS will also work to develop staff knowledge and skills related to cyberspace and digital policy. The goal is to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations.

Secure-by-design, secure-by-default

Under the first pillar of the plan (Defending critical infrastructure), CISA will lead public-private partnerships with tech companies, educators, nonprofits, academia and the open-source community to drive the development and adoption of software and hardware that is secure-by-design and secure-by-default.

Secure-by-design principles should be implemented during the design phase of a product’s development lifecycle. The goal is to significantly reduce the number of exploitable flaws before products are introduced to the market.

Secure-by-default means products are secure to use out of the box, with little to no configuration changes, and are available at no additional cost. Examples of tools include multi-factor authentication (MFA), gathering and logging evidence of potential intrusions and controlling access to sensitive information.

Threat intelligence

Under pillar two (Disrupting and dismantling threat actors), the NSC will lead a policymaking process to establish an approach for Sector Risk Management Agencies (SRMAs) to identify sector-specific intelligence needs and priorities.

Additionally, the Office of the Director of National Intelligence, in coordination with DOJ and DHS, will review policies and procedures for sharing cyber threat intelligence with critical infrastructure owners and operators. The need for expanding clearances and intelligence access will also be evaluated.

IoT labeling

Given the rapid proliferation of connected devices, IoT represents a huge security challenge. The perimeter in enterprise computing has never been larger or more liquid. IoT devices, both inside and outside corporate offices, share the same potential security risks. Meanwhile, consumer devices are far less likely to offer security features, such as regular security-enhancing firmware updates.

As per the plan, the White House will continue to work towards improved IoT cybersecurity through federal R&D, procurement and risk management efforts. And the NSC will be tasked with identifying the “broad contours” of a U.S. Government Internet of Things (IoT) security labeling program.

Federal cyber grants and insurance

The plan also mentions something many organizations worry about – how to pay for modernization to meet new security standards. To address the economic need, the Administration will seek to leverage federal grants to improve infrastructure cybersecurity. The ONCD will develop materials to clarify, facilitate and encourage the incorporation of cybersecurity equities into federal grant projects.

Along similar lines, the plan will also assess the need for a federal cyber insurance response to catastrophic events. The response would be in support of the existing cyber insurance market.

A major step forward

While there is certainly a lot of work to be done, having a clear plan makes a big difference. The National Cybersecurity Strategy Implementation Plan is a major step in the right direction to address the growing cyber threat.