On July 13, 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (“NCSIP”). The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year. This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually. Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):
- Defending critical infrastructure;
- Disrupting and dismantling threat actors;
- Shaping market forces to drive security and resilience;
- Investing in a resilient future; and
- Forging international partnerships to pursue shared goals.
Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.
- By the end of FY2023, the Administration plans to implement the government’s Internet of Things (“IoT”) security labeling program and – in line with the IoT Cybersecurity Improvement Act of 2020 –propose corresponding changes to the Federal Acquisition Regulation (“FAR”). The Administration also plans to publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-Service providers and resellers, in line with E.O. 13984.
- In the first quarter of FY2024, the Administration plans to propose FAR changes required under E.O. 14028 (the “Cyber EO”) regarding standardizing cybersecurity requirements for unclassified federal information systems (FAR Case 2021-019), cyber threat and incident reporting and information sharing (FAR Case 2021-017), and supply chain software security (FAR Case 2023-002). The Department of Energy, working with CISA and the Office of the National Cyber Director (“ONCD”), will also “drive adoption of cyber secure-by-design principles by incorporating them into Federal projects.” In the second quarter of FY2024, ONCD – as part of the Administration’s efforts to shift liability for insecure software products and services from users to producers and vendors – plans to propose a plan to harmonize baseline cybersecurity requirements for critical infrastructure and to develop a “long-term, flexible, and enduring software liability framework” with an “adaptable safe harbor.”
- By the first quarter of FY2025, the National Institute of Standards and Technology (“NIST”) plans to publish Cybersecurity Framework 2.0 to keep pace with advancing technology and evolving threats. During the second quarter of FY2025, CISA will work with key stakeholders to identify and reduce gaps in software bill of materials (“SBOMs”) and explore requirements for a globally-accessible database for end-of-life/end-of-support software. By the end of FY2025, CISA will issue final rules in line with the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”). The Department of Justice (“DOJ”) will also be tasked with expanding its efforts to leverage the False Claims Act to pursue civil actions against government contractors who fail to meet cybersecurity obligations.
- By the first quarter of FY2026, CISA will lead a cross sector effort to review public-private collaboration mechanisms to ensure that there are effective information sharing platforms and processes in place to address emerging cyber threats.
The following table provides an overview of NCSIP initiatives, arrayed in the order that the Administration plans to complete each effort.
Completion Date |
Line of Effort |
Lead Agency (coordinating agencies) |
Description |
Fiscal Year 2023 |
|||
Q2 |
1.4.4 |
DHS (DOD, DOJ, CISA, FBI, NSA, OMB, ONCD) |
Draft legislation to codify the Cyber Safety Review Board (“CSRB”) with the required authorities to carry out comprehensive review of significant incidents. |
Q3 |
– |
– |
– |
Q4 |
1.3.1 |
ONCD (OMB) |
Assess and improve Federal Cybersecurity Centers’ and related cyber centers’ capabilities and plans necessary for collaboration at speed and scale. |
2.4.1 |
Commerce, DHS, DOJ, ODNI, FBI) |
Publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-Service (“IaaS”) providers and resellers. |
|
2.5.1 |
State (DHS, DOJ, CISA, FBI) |
Develop an international engagement plan to discourage nations from acting as safe havens for ransomware criminals and strengthen international cooperation in countering transnational cybercrime. |
|
3.2.1 |
OMB |
Implement FAR requirements per the Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020. |
|
3.2.2 |
NSC |
Initiate a U.S. Government IoT security labeling program. |
|
3.4.1 |
ONCD (CISA, OMB) |
Leverage Federal grants to improve infrastructure cybersecurity. |
|
3.4.2 |
OSTP (OMB, ONCD) |
Prioritize funding for cybersecurity research. |
|
5.5.3 |
NTIA (DHS, DOD, ODNI, FCC, NIST) |
Begin administering the Public Wireless Supply Chain Innovation Fund. |
|
6.1.3 |
ONCD (OMB) |
Align budgetary guidance with National Cybersecurity Strategy implementation. |
Fiscal Year 2024 |
|||
Q1 |
1.1.1 |
ONCD (FCC, OMB) |
Establish an initiative on cyber regulatory harmonization. |
1.2.2 |
CISA (SRMAs, NSC, ONCD) |
Provide recommendations for the designation of critical infrastructure sectors and Sector Risk Management Agencies (“SRMAs”). |
|
1.4.3 |
ONCD (DHS) |
Develop exercise scenarios to improve government’s cyber incident response. |
|
2.1.1 |
DOD |
Publish an updated DOD Cyber Strategy to focus on challenges posed by nation-states and other malicious actors whose capabilities or campaigns pose a strategic-level threat to the United States and its interests. |
|
2.5.2 |
FBI (DOJ, CISA, NSA, USSS) |
Disrupt ransomware crimes by using all elements of national power. |
|
3.5.1 |
OMB |
Implement FAR changes required under Cyber E.O. |
|
3.6.1 |
Treasury (CISA, ONCD) |
Assess the need for a Federal insurance response to a catastrophic cyber event that would support the existing cyber insurance market. |
|
4.1.2 |
ONCD (CISA, NSF, OMB) |
Promote open-source software security and the adoption of memory safe programming languages. |
|
4.1.3 |
NIST |
NIST will convene the Interagency International Cybersecurity Standardization Working Group to coordinate on major issues in international cybersecurity standardization and enhance US Federal agency participation in the process. |
|
4.2.1 |
OSTP (DHS, CISA, NIST, NSF) |
Accelerate maturity, adoption, and security of memory safe programming languages. |
|
4.4.1 |
DOE (CISA, NIST, ONCD) |
Drive adoption of cyber secure-by-design principles by incorporating them into Federal projects. |
|
5.1.2 |
State (OMB, ONCD) |
Publish an International Cyberspace and Digital Policy Strategy in accordance with the FY23 National Defense Authorization Act. |
|
5.2.1 |
State (Commerce, DHS, DOD, DOE, DOJ, Treasury, CISA, FBI, USAID) |
Strengthen international partners’ cyber capacity. |
|
5.3.1 |
State (DHS, DOD, FBI, USAID) |
Establish flexible foreign assistance mechanisms to provide cyber incident response support quickly. |
|
Q2 |
1.5.1 |
OMB (CISA, NIST, ONCD) |
Secure unclassified Federal Civilian Executive Branch (“FCEB”) systems through collective operational defense and expanded use of centralized share services, enterprise license agreements, and software supply chain risk mitigation. |
2.1.5 |
FBI |
Increase speed and scale of disruption operations. |
|
2.2.1 |
ONCD (DOJ, CISA, FBI, NSA, USSS) |
Identify mechanisms for increased adversarial disruption through public-private operational collaboration. |
|
2.5.3 |
DOJ |
Investigate ransomware crimes and disrupt the ransomware ecosystem. |
|
3.3.1 |
ONCD |
Explore approaches to develop a long-term, flexible, and enduring software liability framework working with key stakeholders. |
|
4.1.1 |
OMB (CISA, ONCD) |
Lead the adoption of network security best practices such as encryption of Domain Name System requests (as aligned with the zero trust strategy and maturity model). |
|
4.4.2 |
ONCD (CPO, NEC, OSTP) |
Develop a plan to ensure the digital ecosystem can support and deliver the U.S. government’s de-carbonization goals. |
|
4.6.1 |
ONCD |
Publish a National Cyber Workforce and Education Strategy and track its implementation. |
|
5.5.1 |
State (Commerce, DHS, NSC, ONCD, USTR) |
Promote the development of secure and trustworthy information and communication technology networks and services. |
|
5.5.2 |
State (Commerce, DFC, EXIM, USAID, USTDA) |
Promote more diverse and resilient supply chain of trustworthy information and communication vendors. |
|
6.1.2 |
ONCD (DHS, DOD, DOJ, CISA, FBI, NSA, OMB) |
Apply lessons learned to the National Cybersecurity Strategy Implementation. |
|
Q3 |
1.2.3 |
CISA (DOJ, FBI, NSA, SRMAs) |
Evaluate how CISA can leverage existing reporting mechanisms or the potential creation of a single portal to integrate and operationalize SRMAs’ sector-specific systems and processes. |
2.3.2 |
ODNI (DOD, DHS, DOJ, FBI, NSA, NSC, ONCD) |
Remove barriers to delivering cyber threat intelligence and data to critical infrastructure owners and operators. |
|
4.1.5 |
ONCD (DOJ, CISA, FCC, NIST, NSA, NTIA, OSTP) |
Collaborate with key stakeholder to drive secure Internet routing. |
|
6.1.1 |
ONCD (OMB) |
Report progress and effectiveness on implementing the National Cybersecurity Strategy. |
|
Q4 |
1.2.1 |
CISA (NIST, NSF, SRMAs) |
Scale public-private partnerships to drive development and adoption of secure-by-design and secure-by-default technology. |
1.5.2 |
OMB (CISA, GSA, ONCD) |
Modernize FCEB technology, prioritizing Federal efforts to eliminate legacy systems which are costly to maintain and difficult to defend. |
|
1.5.3 |
NSA (OMB, ONCD) |
Secure National Security Systems (“NSS”) at FCEB agencies. |
|
2.1.4 |
DOJ (DHS, Treasury, CISA, FBI, USSS, ONCD) |
Propose legislation to disrupt and deter cybercrime and cyber-enabled crime. |
|
2.5.5 |
Treasury (DOJ, State, USSS, NSC) |
Support other countries’ efforts to adopt and implement the global anti-money laundering/countering the financing of terrorism standards for virtual asset service providers. |
|
3.4.3 |
NSF |
Prioritize cybersecurity research, development, and demonstration to understand individual and societal impacts on cybersecurity through research in cyber economics, human factors, information integrity, and related topics. |
|
4.1.4 |
NIST |
NIST will collaborate with the interagency, industry, academia, and others to address Border Gateway Protocol (“BGP”) and Internet Protocol Version 6 (IPv6) security gaps by driving development, commercialization, and adoption of international standards. |
|
4.4.3 |
DOE (NIST) |
Build and refine training, tools, and support for engineers and technicians using cyber-informed engineering principles. |
|
5.1.4 |
ONCD (DOJ, State, FBI) |
Commission a study on the European Cybercrime Centre to inform the development of future cyber hubs. |
Fiscal Year 2025 |
|||
Q1 |
1.1.3 |
NIST (CISA, SRMAs) |
Increase agency use of frameworks and international standards to inform regulatory alignment |
1.4.1 |
CISA (DOJ, FBI, SRMAs, USSS, ONCD) |
Update the National Cyber Incident Response Plan (“NCIRP”) |
|
2.1.3 |
DOJ |
Expand organizational platforms dedicated to disruption campaigns against cybercriminals, nation-state adversaries, and associated enablers. |
|
2.3.1 |
NSC (DHS, DOJ, ODNI, CIA, CISA, FBI, NSA, SRMAs, USSS) |
Identify and operationalize sector-specific intelligence needs and priorities. |
|
2.5.4 |
CISA (FBI, SRMAs, USSS, NSC) |
Support private sector and state, local, Tribal, and territorial efforts to mitigate ransomware risk by offering training, cybersecurity services, technical assessments, pre-attack planning, and incident response to critical infrastructure organizations. |
|
4.3.1 |
OMB (NSA, ONCD) |
Implement National Security memorandum-10 and transitioning vulnerable public networks and systems to quantum-resistant cryptography-based environments. |
|
4.3.3 |
NIST |
Standardize and support transition to post-quantum cryptographic algorithms. |
|
5.1.1 |
State (Commerce, DHS, DOJ, CISA, FBI, USAID) |
Create interagency teams for regional cyber collaboration and coordination. |
|
Q2 |
1.1.2 |
NSC (SRMAs, ONCD) |
Set cybersecurity requirements across critical infrastructure sectors |
1.2.5 |
CISA (SRMAs, NSC) |
Establish and codify an SRMA support capability to serve as the single point of contact for supporting all SRMAs. |
|
3.3.2 |
CISA |
Advance software bill of materials (“SBOM”) and mitigate the risk of unsupported software. |
|
5.5.4 |
NIST |
Promulgate and amplify Cybersecurity Supply Chain Risk Management (C-SCRM) key practice across and within critical infrastructure sectors. |
|
Q3 |
4.3.2 |
NSA (DOD, ODNI) |
Implement transition of NSS to quantum-resistant cryptography. |
Q4 |
1.4.2 |
CISA (DOJ, FBI, SRMAs, USSS) |
Issue final Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) rule. |
2.1.2 |
FBI (DOJ) |
Strengthen the National Cyber Investigative Joint Task Force (“NCIJTF”) capacity. |
|
3.3.3 |
CISA (State) |
Build domestic and international support for an expectation of coordinated vulnerability disclosure among public and private entities, across all technology types and sectors, including through the creation of an international vulnerability coordinator community of practice. |
|
3.5.2 |
DOJ |
Leverage the False Claims Act to improve vendor cybersecurity by expanding DOJ’s efforts to identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants. |
|
5.1.3 |
FBI (DHS, DOD, DOJ, State, Treasury) |
Strengthen Federal law enforcement collaboration mechanisms with allies and partners to increase the volume and speed of international law enforcements disruption of cybercriminals. |
|
5.4.1 |
State (DOD, DOJ, FBI) |
Hold irresponsible states accountable when they fail to uphold their commitments. |
Fiscal Year 2026 |
|||
Q1 |
1.2.4 |
CISA (SRMAs) |
Investigate opportunities for new and improved information sharing and collaboration platforms, processes, and mechanisms. |
Q2 |
– |
– |
– |
Q3 |
– |
– |
– |
Q4 |
5.2.2 |
DOJ (State, FBI, HIS, USSS) |
Expand international partners’ cyber capacity through operational law enforcement collaboration. |