Following the announcement of the President’s Cybersecurity National Action Plan (CNAP), an initiative designed to “enhance cybersecurity capabilities within the Federal Government and across the country,” the White House has released a fact sheet outlining the different components of the CNAP.  The announcement of the CNAP follows the President’s request for $19 billion in funding for cybersecurity initiatives in fiscal year 2017, an increase of 35% over the previous year’s request.  The CNAP includes a mixture of near-term measures and long-term objectives, with the ultimate goal of enhancing the federal government’s cybersecurity posture while encouraging private citizens and businesses to do the same.  Some of the most significant aspects of the CNAP, discussed further below, include:

  • The launch of a cybersecurity awareness campaign to promote the use of multi-factor authentication;
  • A “systematic” review by the White House to identify areas where the federal government can reduce the use of Social Security Numbers as individual identifiers;
  • Plans for the development of a Cybersecurity Assurance Program to test and certify connected devices against certain security standards;
  • The creation of a Chief Information Security Officer (CISO) position within the federal government, coupled with a $3.1 billion initiative to modernize federal agencies’ IT systems and applications;
  • The establishment of a commission of private sector cybersecurity experts to offer recommendations on cybersecurity initiatives; and
  • The establishment of a Federal Privacy Council, composed of representatives from various key federal agencies, to coordinate guidelines for the federal government’s collection and storage of data.

As part of the CNAP, the President signed an Executive Order establishing the Commission on Enhancing National Cybersecurity.  This Commission will assemble twelve leading cybersecurity and privacy experts from across the private sector to provide recommendations for  procurement and management of federal civilian IT systems, state and local cyber initiatives, and critical infrastructure protection.  The Commission’s final report to the President will be due on December 1, 2016.  In recognition of the growing cybersecurity risks presented by the Internet of Things, the Department of Homeland Security will collaborate with UL and other industry stakeholders to develop a Cybersecurity Assurance Program to test and certify connected devices.  The fact sheet notes that the Program will allow consumers to purchase certified devices with confidence that they “meet security standards.”

The CNAP fact sheet also announced the kickoff of the National Cybersecurity Awareness Campaign in coordination with the National Cyber Security Alliance and other private-sector entities.  This campaign will focus on promoting the use of multi-factor authentication, whether through biometrics, one-time codes, or otherwise.  The fact sheet notes that the National Cyber Security Alliance will partner with Microsoft, Facebook, PayPal, Google, Dropbox, MasterCard, Visa, Venmo, and other private sector entities to focus on securing online accounts and transactions.  As part of this campaign, the federal government will undertake a systematic review to identify opportunities to reduce reliance on Social Security Numbers as individual identifiers.

To promote public-private collaboration on cybersecurity, the CNAP includes several initiatives from the federal government to offer cybersecurity assistance to the private sector.  The Department of Homeland Security, the Department of Commerce, and the Department of Energy will establish a National Center for Cybersecurity Resilience, which will allow entities to test the security of systems, such as electric grids, in a contained environment.  The Department of Homeland Security will double the number of cybersecurity advisors available to assist private entities, while the National Institute of Standards and Technology will solicit feedback to further develop its Cybersecurity Framework for critical infrastructure.  The fact sheet also notes that the administration plans to release a policy for national cyber incident coordination, and an accompanying severity methodology for evaluating cyber incidents, by the spring of 2016.

To improve the federal government’s cybersecurity posture, the CNAP establishes the position of a Federal Chief Information Security Officer, and creates a $3.1 billion Information Technology Modernization Fund to speed up agencies’ efforts to upgrade older systems and applications.  The federal CISO, who will work within the Office of Management and Budget and report to the Federal Chief Information Officer (currently, Tony Scott), will oversee cybersecurity policy for all federal civilian agencies.  The administration hopes to fill this new position within the next 60 to 90 days.  The IT Modernization Fund, which builds off of the administration’s previously released Cybersecurity Implementation Plan, will allow agencies to upgrade legacy systems and create savings through reduced maintenance costs.  The GSA will administer the fund, focusing on efforts to move from high-cost applications to modern architectures, such as the cloud and shared services.

President Obama also signed an executive order establishing the Federal Privacy Council, which will bring together top privacy officials from agencies across the federal government to recommend improvements for the federal government’s privacy policies and requirements.  Finally, the CNAP provides for funding the deployment of the Department of Homeland Security’s Einstein and Continuous Diagnostics and Mitigation programs across federal civilian agencies during fiscal year 2017, in addition to funding for increased recruitment of federal cybersecurity employees.

Tags: Congress, Cybersecurity, Data Breach, Data Security, House of Representatives, Senate, White House
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less