Fresh from the federal policy mill, the Biden Administration's 57-page National Cybersecurity Strategy Implementation Plan (NCSIP) describes more than 65 initiatives that various federal agencies will implement during the next several years. These include strengthening US critical infrastructure against cyber threats, establishing enforceable liability for software products and services, and devising more effective ways to disrupt and disable threat-actor operations and their infrastructure.
An Implementation Roadmap
Several security professionals this week perceived the NCSIP as important for Biden's cybersecurity strategy to move forward and said its relatively aggressive deadlines convey the right sense urgency to stakeholders. But some wondered — as they have previously — about how it would succeed without adequate funding and bipartisan support in Congress.
"This roadmap to implement the Cybersecurity Strategy continues to point in the right direction, but there are some financial potholes," said Robert DuPree, manager of government affairs at Telos, in an emailed comment. For instance, while the implementation plan calls on federal agencies to eliminate legacy systems, funding for the Technology Modernization Fund (TMF), which was approved in 2017, has not been forthcoming, he said. The proposed budget for FY 2024 requested a paltry $200 million for the TMF, but the House appropriations bill has zeroed out even that funding. "If no new funding is provided, the Administration is going to need to find a new way forward in its multi-year plan," DuPree added.
The NCSIP's executive summary described the version of the document, released this week, as the first iteration of the implementation plan and called it a "living document" that will be updated on an annual basis. "Initiatives will be added as the evolving cyber landscape demands and removed after completion," the summary noted.
Biden in March called the strategy essential to ensuring all stakeholders — including critical infrastructure sectors, software vendors, and service providers — take an active role in protecting against cyber threats. "We will rebalance the responsibility for cybersecurity to be more effective and more equitable," Biden had noted. "We will realign incentives to favor long-term investments in security, resilience, and promising new technologies."
The objectives of the cyber strategy are grouped under five separate pillars: Defend Critical Infrastructure; Disrupt and Dismantle Threat Actors; Shape Market Forces to Drive Security and Resilience; Invest in a Resilient Future; and Forge International Partnerships. This week's document provides high-level plans and initiatives for meeting these objectives.
For instance, the plans for bolstering critical infrastructure defense include establishing new cybersecurity requirements for organizations in the sector, scaling public-private partnerships, integrating federal cybersecurity centers, and updating federal incident response plans and processes. Similarly, the plans for dismantling threat actors include integrating separate federal disruption activities, increasing speed and scale of threat intelligence sharing, and preventing threat actors from abusing US infrastructure to carry out attacks.
Plans for the third pillar — which many security experts consider one of the most consequential of the five strategic objectives — include developing a long-term software liability framework, advancing efforts around software bill of materials (SBOMs) initiatives, and other secure software development initiatives. The NCSIP provides similar plans and initiatives for both the remaining pillars. Many of these plans have implementation deadlines of 2025, and some are already well underway.
Obstacles to Success
Karen Walsh, cybersecurity compliance expert at Allegro Solutions, says one problem with the implementation plan is that it lacks any path to coordinated, standardized enforcement and leaves individual sector-specific agencies in control. "Creating the legal and regulatory framework for enforcement requires working with Congress, which seems unlikely in our currently divisive political climate," she says.
Walsh says the two-to-three-year window that the implementation plan has set for creating software liability frameworks also appears a little ambitious. "In Q4 FY24, the Office of the National Cyber Director will convene a symposium to discuss different areas of regulatory law and potential frameworks," Walsh says. Then, by Q2 FY25, CISA needs to complete an SBOM gap assessment, but it is unlikely that it will be completed before 2026 given the complexity of the task. "Beyond this, depending on how the government structures this liability, a regulatory agency needs to be given the enforcement power, then engage in rule making, or a law must define the consequences. Again, that pushes any realistic timeline out even further."
Mike Hamilton, CISO at Critical Insight, perceives the new NCSIP as moving the needle forward around critical infrastructure security and on efforts to disrupt threat actors. The NCSIP, for instance, appears focused on broadening the national cyber incident response plan beyond the critical infrastructure sector to all sectors and business sizes, he says. "I suspect there will also be an initiative to enlist practitioners from the private sector as national-level responders in the event of significant infrastructure disruption. The issues to overcome will be credentialing and indemnification."
Significantly, the implementation plan has a role for the Cybersecurity and Infrastructure Security Agency (CISA) in providing cybersecurity training and incident response for the healthcare sector, a major target of ransomware attacks. "Knowing that the incident response will now be a federal agency in itself may give ransomware operators pause when thinking about hitting hospitals," Hamilton says.