On July 13, 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (“NCSIP”).  The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year.  This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually.  Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):

  • Defending critical infrastructure;
  • Disrupting and dismantling threat actors;
  • Shaping market forces to drive security and resilience;
  • Investing in a resilient future; and
  • Forging international partnerships to pursue shared goals.

Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.

  • By the end of FY2023, the Administration plans to implement the government’s Internet of Things (“IoT”) security labeling program and – in line with the IoT Cybersecurity Improvement Act of 2020 –propose corresponding changes to the Federal Acquisition Regulation (“FAR”).  The Administration also plans to publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-Service providers and resellers, in line with E.O. 13984.
  • In the first quarter of FY2024, the Administration plans to propose FAR changes required under E.O. 14028 (the “Cyber EO”) regarding standardizing cybersecurity requirements for unclassified federal information systems (FAR Case 2021-019), cyber threat and incident reporting and information sharing (FAR Case 2021-017), and supply chain software security (FAR Case 2023-002).  The Department of Energy, working with CISA and the Office of the National Cyber Director (“ONCD”), will also “drive adoption of cyber secure-by-design principles by incorporating them into Federal projects.”  In the second quarter of FY2024, ONCD – as part of the Administration’s efforts to shift liability for insecure software products and services from users to producers and vendors – plans to propose a plan to harmonize baseline cybersecurity requirements for critical infrastructure and to develop a “long-term, flexible, and enduring software liability framework” with an “adaptable safe harbor.”  
  • By the first quarter of FY2025, the National Institute of Standards and Technology (“NIST”) plans to publish Cybersecurity Framework 2.0 to keep pace with advancing technology and evolving threats.  During the second quarter of FY2025, CISA will work with key stakeholders to identify and reduce gaps in software bill of materials (“SBOMs”) and explore requirements for a globally-accessible database for end-of-life/end-of-support software.  By the end of FY2025, CISA will issue final rules in line with the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”).  The Department of Justice (“DOJ”) will also be tasked with expanding its efforts to leverage the False Claims Act to pursue civil actions against government contractors who fail to meet cybersecurity obligations.
  • By the first quarter of FY2026, CISA will lead a cross sector effort to review public-private collaboration mechanisms to ensure that there are effective information sharing platforms and processes in place to address emerging cyber threats.

The following table provides an overview of NCSIP initiatives, arrayed in the order that the Administration plans to complete each effort.

Completion Date

Line of Effort

Lead Agency (coordinating agencies)

Description

Fiscal Year 2023

Q2

1.4.4

DHS (DOD, DOJ, CISA, FBI, NSA, OMB, ONCD)

Draft legislation to codify the Cyber Safety Review Board (“CSRB”) with the required authorities to carry out comprehensive review of significant incidents.

Q3

Q4

1.3.1

ONCD (OMB)

Assess and improve Federal Cybersecurity Centers’ and related cyber centers’ capabilities and plans necessary for collaboration at speed and scale.

2.4.1

Commerce, DHS, DOJ, ODNI, FBI)

Publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-Service (“IaaS”) providers and resellers.

2.5.1

State (DHS, DOJ, CISA, FBI)

Develop an international engagement plan to discourage nations from acting as safe havens for ransomware criminals and strengthen international cooperation in countering transnational cybercrime.

3.2.1

OMB

Implement FAR requirements per the Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020.

3.2.2

NSC

Initiate a U.S. Government IoT security labeling program.

3.4.1

ONCD (CISA, OMB)

Leverage Federal grants to improve infrastructure cybersecurity.

3.4.2

OSTP (OMB, ONCD)

Prioritize funding for cybersecurity research.

5.5.3

NTIA (DHS, DOD, ODNI, FCC, NIST)

Begin administering the Public Wireless Supply Chain Innovation Fund.

6.1.3

ONCD (OMB)

Align budgetary guidance with National Cybersecurity Strategy implementation.

Fiscal Year 2024

Q1

1.1.1

ONCD (FCC, OMB)

Establish an initiative on cyber regulatory harmonization.

1.2.2

CISA (SRMAs, NSC, ONCD)

Provide recommendations for the designation of critical infrastructure sectors and Sector Risk Management Agencies (“SRMAs”).

1.4.3

ONCD (DHS)

Develop exercise scenarios to improve government’s cyber incident response.

2.1.1

DOD

Publish an updated DOD Cyber Strategy to focus on challenges posed by nation-states and other malicious actors whose capabilities or campaigns pose a strategic-level threat to the United States and its interests.

2.5.2

FBI (DOJ, CISA, NSA, USSS)

Disrupt ransomware crimes by using all elements of national power.

3.5.1

OMB

Implement FAR changes required under Cyber E.O.

3.6.1

Treasury (CISA, ONCD)

Assess the need for a Federal insurance response to a catastrophic cyber event that would support the existing cyber insurance market.

4.1.2

ONCD (CISA, NSF, OMB)

Promote open-source software security and the adoption of memory safe programming languages.

4.1.3

NIST

NIST will convene the Interagency International Cybersecurity Standardization Working Group to coordinate on major issues in international cybersecurity standardization and enhance US Federal agency participation in the process.

4.2.1

OSTP (DHS, CISA, NIST, NSF)

Accelerate maturity, adoption, and security of memory safe programming languages.

4.4.1

DOE (CISA, NIST, ONCD)

Drive adoption of cyber secure-by-design principles by incorporating them into Federal projects.

5.1.2

State (OMB, ONCD)

Publish an International Cyberspace and Digital Policy Strategy in accordance with the FY23 National Defense Authorization Act.

5.2.1

State (Commerce, DHS, DOD, DOE, DOJ, Treasury, CISA, FBI, USAID)

Strengthen international partners’ cyber capacity.

5.3.1

State (DHS, DOD, FBI, USAID)

Establish flexible foreign assistance mechanisms to provide cyber incident response support quickly.

Q2

1.5.1

OMB (CISA, NIST, ONCD)

Secure unclassified Federal Civilian Executive Branch (“FCEB”) systems through collective operational defense and expanded use of centralized share services, enterprise license agreements, and software supply chain risk mitigation.

2.1.5

FBI

Increase speed and scale of disruption operations.

2.2.1

ONCD (DOJ, CISA, FBI, NSA, USSS)

Identify mechanisms for increased adversarial disruption through public-private operational collaboration.

2.5.3

DOJ

Investigate ransomware crimes and disrupt the ransomware ecosystem.

3.3.1

ONCD

Explore approaches to develop a long-term, flexible, and enduring software liability framework working with key stakeholders.

4.1.1

OMB (CISA, ONCD)

Lead the adoption of network security best practices such as encryption of Domain Name System requests (as aligned with the zero trust strategy and maturity model).

4.4.2

ONCD (CPO, NEC, OSTP)

Develop a plan to ensure the digital ecosystem can support and deliver the U.S. government’s de-carbonization goals.

4.6.1

ONCD

Publish a National Cyber Workforce and Education Strategy and track its implementation.

5.5.1

State (Commerce, DHS, NSC, ONCD, USTR)

Promote the development of secure and trustworthy information and communication technology networks and services.

5.5.2

State (Commerce, DFC, EXIM, USAID, USTDA)

Promote more diverse and resilient supply chain of trustworthy information and communication vendors.

6.1.2

ONCD (DHS, DOD, DOJ, CISA, FBI, NSA, OMB)

Apply lessons learned to the National Cybersecurity Strategy Implementation.

Q3

1.2.3

CISA (DOJ, FBI, NSA, SRMAs)

Evaluate how CISA can leverage existing reporting mechanisms or the potential creation of a single portal to integrate and operationalize SRMAs’ sector-specific systems and processes.

2.3.2

ODNI (DOD, DHS, DOJ, FBI, NSA, NSC, ONCD)

Remove barriers to delivering cyber threat intelligence and data to critical infrastructure owners and operators.

4.1.5

ONCD (DOJ, CISA, FCC, NIST, NSA, NTIA, OSTP)

Collaborate with key stakeholder to drive secure Internet routing.

6.1.1

ONCD (OMB)

Report progress and effectiveness on implementing the National Cybersecurity Strategy.

Q4

1.2.1

CISA (NIST, NSF, SRMAs)

Scale public-private partnerships to drive development and adoption of secure-by-design and secure-by-default technology.

1.5.2

OMB (CISA, GSA, ONCD)

Modernize FCEB technology, prioritizing Federal efforts to eliminate legacy systems which are costly to maintain and difficult to defend.

1.5.3

NSA (OMB, ONCD)

Secure National Security Systems (“NSS”) at FCEB agencies.

2.1.4

DOJ (DHS, Treasury, CISA, FBI, USSS, ONCD)

Propose legislation to disrupt and deter cybercrime and cyber-enabled crime.

2.5.5

Treasury (DOJ, State, USSS, NSC)

Support other countries’ efforts to adopt and implement the global anti-money laundering/countering the financing of terrorism standards for virtual asset service providers.

3.4.3

NSF

Prioritize cybersecurity research, development, and demonstration to understand individual and societal impacts on cybersecurity through research in cyber economics, human factors, information integrity, and related topics.

4.1.4

NIST

NIST will collaborate with the interagency, industry, academia, and others to address Border Gateway Protocol (“BGP”) and Internet Protocol Version 6 (IPv6) security gaps by driving development, commercialization, and adoption of international standards.

4.4.3

DOE (NIST)

Build and refine training, tools, and support for engineers and technicians using cyber-informed engineering principles.

5.1.4

ONCD (DOJ, State, FBI)

Commission a study on the European Cybercrime Centre to inform the development of future cyber hubs.

Fiscal Year 2025

Q1

1.1.3

NIST (CISA, SRMAs)

Increase agency use of frameworks and international standards to inform regulatory alignment

1.4.1

CISA (DOJ, FBI, SRMAs, USSS, ONCD)

Update the National Cyber Incident Response Plan (“NCIRP”)

2.1.3

DOJ

Expand organizational platforms dedicated to disruption campaigns against cybercriminals, nation-state adversaries, and associated enablers.

2.3.1

NSC (DHS, DOJ, ODNI, CIA, CISA, FBI, NSA, SRMAs, USSS)

Identify and operationalize sector-specific intelligence needs and priorities.

2.5.4

CISA (FBI, SRMAs, USSS, NSC)

Support private sector and state, local, Tribal, and territorial efforts to mitigate ransomware risk by offering training, cybersecurity services, technical assessments, pre-attack planning, and incident response to critical infrastructure organizations.

4.3.1

OMB (NSA, ONCD)

Implement National Security memorandum-10 and transitioning vulnerable public networks and systems to quantum-resistant cryptography-based environments.

4.3.3

NIST

Standardize and support transition to post-quantum cryptographic algorithms.

5.1.1

State (Commerce, DHS, DOJ, CISA, FBI, USAID)

Create interagency teams for regional cyber collaboration and coordination.

Q2

1.1.2

NSC (SRMAs, ONCD)

Set cybersecurity requirements across critical infrastructure sectors

1.2.5

CISA (SRMAs, NSC)

Establish and codify an SRMA support capability to serve as the single point of contact for supporting all SRMAs.

3.3.2

CISA

Advance software bill of materials (“SBOM”) and mitigate the risk of unsupported software.

5.5.4

NIST

Promulgate and amplify Cybersecurity Supply Chain Risk Management (C-SCRM) key practice across and within critical infrastructure sectors.

Q3

4.3.2

NSA (DOD, ODNI)

Implement transition of NSS to quantum-resistant cryptography.

Q4

1.4.2

CISA (DOJ, FBI, SRMAs, USSS)

Issue final Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) rule.

2.1.2

FBI (DOJ)

Strengthen the National Cyber Investigative Joint Task Force (“NCIJTF”) capacity.

3.3.3

CISA (State)

Build domestic and international support for an expectation of coordinated vulnerability disclosure among public and private entities, across all technology types and sectors, including through the creation of an international vulnerability coordinator community of practice.

3.5.2

DOJ

Leverage the False Claims Act to improve vendor cybersecurity by expanding DOJ’s efforts to identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants.

5.1.3

FBI (DHS, DOD, DOJ, State, Treasury)

Strengthen Federal law enforcement collaboration mechanisms with allies and partners to increase the volume and speed of international law enforcements disruption of cybercriminals.

5.4.1

State (DOD, DOJ, FBI)

Hold irresponsible states accountable when they fail to uphold their commitments.

Fiscal Year 2026

Q1

1.2.4

CISA (SRMAs)

Investigate opportunities for new and improved information sharing and collaboration platforms, processes, and mechanisms.

Q2

Q3

Q4

5.2.2

DOJ (State, FBI, HIS, USSS)

Expand international partners’ cyber capacity through operational law enforcement collaboration.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and…

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and preparedness, government and internal investigations, and regulatory compliance. He also regularly advises clients with respect to risks stemming from U.S. criminal and civil anti-terrorism laws and other national security issues, to include investigating allegations of terrorism-financing and litigating Anti-Terrorism Act claims.

Shayan maintains an active pro bono litigation practice with a focus on human rights, freedom of information, and free media issues.

Prior to joining the firm, Shayan worked in the U.S. national security community.