Last week, the White House Office of the National Cyber Director (ONCD) released the Implementation Plan – a comprehensive guidance document that will serve as the blueprint for executing the National Cybersecurity Strategy that was released back in March. This highly anticipated plan lays out the key initiatives that will be advanced to support the administration’s top cybersecurity goals, with over 65 unique lines of effort across 18 federal agencies that are set to be updated on an annual basis.
At a time when policy takes a while to develop and it is increasingly difficult to coalesce around key priorities, the swift and thorough compilation of this Implementation Plan signals the administration’s ongoing commitment to cybersecurity – as well as significant bipartisan support for these activities from policymakers in Congress and entities within the private sector. Specifically, Congress and industry were broadly supportive of the Plan’s clear, concise directives that were laid out across all 65+ initiatives – each of which includes a description of the activity, a designated federal agency responsible for the implementation (along with defined contributing entities), and an estimated timeline for completion.
Accordingly, the plan follows the five key pillars from the National Cyber Strategy: 1) defending critical infrastructure, 2) disrupting and dismantling threat actors, 3) shaping market forces to drive security and resilience, 4) investing in a resilient future, and 5) forging international partnerships to pursue shared goals. Furthermore, the plan also includes a few initiatives that will be applied more broadly across the strategy in order to report on the effectiveness of the implementation, weave in lessons learned from implementation activities, and align the administration’s budgetary resources with the continued execution of the strategy.
The plan sets up the full cybersecurity ecosystem to hit the ground running to launch these efforts, with the White House Office of the National Cyber Director already announcing that they will be expeditiously releasing a request for industry input on how to best harmonize cyber regulations across the federal government, with a pointed focus on encouraging reciprocity between regulators. As the administration quickly begins this work, there are several key themes that have emerged as the clear top priorities for policymakers in the cyber domain:
Focusing on Critical Infrastructure: While the Implementation Plan deals with cybersecurity practices across all levels of public and private systems, the strategy continues to delineate a strong priority towards protecting critical infrastructure. Critical infrastructure systems – which range from energy to transportation to water to more – have become increasingly at risk of cyberattack in recent years. As such, the Implementation Plan includes several activities designed to support critical infrastructure protections, including a directive for the Cybersecurity & Infrastructure Agency (CISA) to update the National Cyber Incident Response Plan with greater detail on how to respond to incidents impacting critical infrastructure.
Bolstering the Cyber Workforce: Enhancing the cyber workforce to meet the challenges of today (and the future) remains a top concern for the federal government, especially as cybersecurity professionals continue to be in high demand for lucrative positions within the private sector. As such, the Implementation Plan announces that the Office of the National Cyber Director will publish their highly anticipated National Cyber Workforce and Education Strategy by the 2nd quarter of the government’s Fiscal Year 2024. This strategy has been in the making for months now, and will represent the first-ever attempt to coordinate a whole-of-government approach for developing the cybersecurity workforce.
Advancing Cyber Standards and Best Practices: A key area of focus – led predominantly by the National Institute of Standards and Technology (NIST) – has been to develop cohesive and widely adopted standards and best practices that govern cybersecurity and enterprise risk management. The Implementation Plan directs NIST to continue this critical work, including to coordinate international cybersecurity standardization with buy-in from U.S. federal civilian executive branch agencies.
Furthering Regulatory Cooperation Among Agencies: An overarching theme of both the National Cyber Strategy and the corresponding Implementation Plan is to harmonize cybersecurity efforts across the federal government. Especially as more and more agencies become involved in cyber, there have been jurisdictional questions regarding which agency retains purview over various areas – ranging from cyberattack response to incident reporting to ransomware to more. Furthermore, especially with the advent of the ONCD two years ago and increasing involvement from the Department of Justice on cyber issues, there continues to be questions surrounding CISA’s jurisdiction as the leading federal agency charged with handling cybersecurity issues. The Implementation Plan gives these concerns top priority as the first initiative in the document, by directing ONCD to work with the Office of Management and Budget (OMB) to establish an initiative on cyber regulatory harmonization.