White House Issues National Cybersecurity Strategy Road MapImplementation Plan for Strategy Assigns Federal Responsibilities, Sets Deadlines
The Biden administration has released a plan for implementing the long-awaited national cybersecurity strategy it published in March.
The new National Cybersecurity Strategy Implementation Plan, published Thursday, lays out deadlines and responsibilities for federal agencies. Both are being coordinated by the White House's Office of the National Cyber Director (see: White House Unveils Biden's National Cybersecurity Strategy).
Multiple cybersecurity experts have lauded not just the White House cybersecurity plan but also the new implementation schedule. This is especially important given the ever-increasing tempo of online threats facing the United States and its allies, not least at the hands of hackers affiliated with or run by Russia and China, said Tom Kellermann, senior vice president of cyber strategy at Contrast Security.
"Finally, we are moving in the right direction," he told Information Security Media Group. "I applaud the administration's holistic strategy and aggressive implementation plan."
The plan, dubbed the NCSIP, details how and by when approximately 65 different federal initiatives will need to be completed by 18 different federal agencies to deliver on the national cybersecurity strategy.
"Each NCSIP initiative is assigned to a responsible agency and has a timeline for completion," the White House said in an overview published Thursday. "Each NCSIP initiative is assigned to a responsible agency and has a timeline for completion."
Cybersecurity experts say the implementation plan is a tangible sign that the Biden administration proposes to deliver its national cybersecurity plan. "This is the first time I can remember seeing a document this high-level documenting initiatives, who is responsible for it, and expected completion dates," Jeff Moss, the founder of the Black Hat and DEF CON conferences, posted to Mastodon. "Great job, ONCD!"
The road map sets deadlines for numerous requirements contained in the national cybersecurity strategy. These range from prioritizing funding for cybersecurity research and coordinating vulnerability disclosure between public and private entities to disincentivizing safe havens for ransomware-wielding criminals and driving the development of technology that is secure by design and by default.
The national cybersecurity strategy was designed in part to facilitate better cybersecurity communication between the government and the private sector, said Chris Pierson, CEO of cybersecurity services firm BlackCloak. As part of the strategy, the newly published implementation road map will enable federal agency cyber leaders to develop "more specific prioritization of risk remediation activities" and "help align budget to those goals," he said.
The White House said the implementation plan "is a living document that will be updated annually."
Some aspects of the cybersecurity strategy have near-term deadlines, but many efforts will require years to achieve. Pierson said that assigning responsibilities through the NCSIP and making people accountable for analyzing and reporting on the effectiveness of the myriad underlying efforts will be essential for ensuring they are effectively specified and implemented.
Signposts for Congress
Democratic lawmakers Rep. Bennie G. Thompson of Mississippi, the ranking member of the House Committee on Homeland Security, and Rep. Eric Swalwell of California, the ranking member of the House Subcommittee on Cybersecurity and Infrastructure Protection, said the implementation plan will be crucial for developing needed legislation, particularly for combating nation-state threats.
"By being transparent about how the executive branch will pursue its ambitious cybersecurity goals, Congress is in a better position to provide the necessary resources and authorities while holding the administration accountable," the lawmakers said in a statement. "It also empowers the private sector and other critical stakeholders to engage effectively, which is critical because our success demands a full-court press."
Some GOP lawmakers have warned the Biden administration not to overregulate industry as part of its push to implement the strategy (see: Lawmakers Weigh Laws Proposed in Biden's Cyber Strategy).
Some of the deadlines specified in the NCSIP have already been met. For example, one initiative requires the Department of Homeland Security to work with Congress to draft legislation to create a Cyber Safety Review Board, which had a deadline of June 30. In April, DHS published its proposed CSRB legislation.
Even before the release of the strategy, the Biden administration had begun attempting to bolster cybersecurity across multiple critical infrastructure sectors, including pipelines and railways. On March 3, the White House expanded that effort, when the Environmental Protection Agency issued guidance requiring states to review public water systems' cybersecurity posture.
"The bar we're setting is not a high bar. We really are just hoping that owners and operators do the basics," a senior administration official, speaking on condition of anonymity, said in March.
All has not been smooth sailing for these efforts. In April, a group of Republican-led states sued the EPA over water system cybersecurity requirements. The state attorneys general of Arkansas, Iowa and Missouri argued that the EPA lacks the power to impose cybersecurity rules. The American Water Works Association, which represents water systems of all sizes as well as consultancies and manufacturers, joined the lawsuit together with the National Rural Water Association, which represents small water systems, claiming the rules would require members to "undertake costly changes."
On Wednesday, the 8th U.S. Circuit Court of Appeals in St. Louis stayed the EPA's water sector guidance, pausing the requirements while it reviews the lawsuit.
As that demonstrates, some aspects of the strategy and its implementation already face an uphill battle, not least for its controversial call for vendors to assume more liability for developing secure code.
Pierson cautioned that for two decades, the government's calls for industry to voluntarily take greater responsibility for cybersecurity have failed to deliver what's required. "A shift will only come through financial incentives, regulatory changes and further partnership pathways," he said.