The White House has published the first implementation plan for its National Cybersecurity Strategy, which aims to improve the strength of the software supply chain and increase public-private collaboration.
Improving the resilience of the market is a key focus, with efforts to establish a long-term software liability framework and reduce gaps in software bills of materials (SBOMs) to ensure unsupported software is not used for critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) will work with the private sector, non-profits, the open-source community, and academia to establish secure-by-design software and hardware.
In a fact sheet, the White House stated the plan ensures “the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk”.
Private sector firms will fall under further requirements laid out by CISA in an effort improve the speed and cohesiveness of reporting following cyber incidents.
Vendors that knowingly provide deficient cyber security products or services will also be pursued more heavily under the False Claims Act.
A Federal Cyber Insurance Backstop, which would see the government provide assistance in the event of a catastrophic incident, is also under consideration. The plan notes that such a scheme could support an uncertain cyber insurance market.
RELATED RESOURCE
The power of the One True Zero Trust Platform
Adopt a zero trust architecture to mitigate the risks posed by the current threat landscape.
This initiative is expected to reach completion by Q1 2024, though the plan could be revised at a later date depending on the outcome of the talks.
By the end of 2023, the Office of Management and Budget will lay out stricter Federal Acquisition Regulation (FAR) requirements for the procurement and labeling of Internet of Things (IoT) devices.
For future resilience, the government will invest heavily in the research and development of memory-safe programming languages as well as quantum-resistant cryptographic algorithms which will be necessary to protect encryption in the near future.
The plan is structured around five ‘pillars’, under which lie more than 65 initiatives for improving the federal, public, and private cyber security landscape.
- Defending Critical Infrastructure
- Disrupting and Dismantling Threat Actors
- Shaping Market Forces and Driving Security and Resilience
- Investing in a Resilient Future
- Forging International Partnerships to Pursue Shared Goals
The White House described the plan as a “living document”, which will be updated annually in line with evolving needs and ambitions for US cyber defense.
On threat actors, the Office of the National Cyber Director is set to work with federal partners as well as those in the private sector to find ways in which existing systems can be used to disrupt cyber criminals.
The document also assigns the Department of State and the Joint Ransomware Task Force (JRTF) to “defeat ransomware” by disrupting the worldwide threat ecosystem.
Ransomware gangs such as LockBit have been in the crosshairs of international law enforcement in recent months. The Department of Justice (DoJ) has ramped up arrests against alleged members of the group, and put out a $10 million bounty for another in May.
CISA, along with JRTF, will also provide training, analysis, planning, and incident response services to private and public sector organizations that oversee critical national infrastructure.
“The National Cybersecurity Strategy Implementation Plan (NCSIP) gives much-needed guidance for agencies on improving cyber resilience,” said Gary Barlet, Federal CTO at Illumio.
“It assigns timebound goals and initiatives to each agency – giving them direction on how to reach the strategy’s clear objectives. These goals and initiatives also display a sense of urgency, which is important, as the pace of technology makes it impossible to imagine the impact it will have on security in three, five, or ten years. It focuses on building cyber resilience now as well as down the road.
“This plan reflects the urgency of today’s cyber threats, and also demonstrates an understanding of the resource and fiscal challenges agencies face in overcoming these dangers. While the NCSIP doesn’t include direct funding, it does align with the administration’s cyber budget priorities to better position agencies to achieve their objectives and combat cyber attacks.
“If agencies can align their budgetary responsibilities and resources with these initiatives, then they will be well equipped to bolster their cyber resilience today and tomorrow.”
-
Layoffs loom for underskilled tech workers and poor performersNews Tech hiring managers expect to make layoffs in the coming months, with roles ripe for automation and workers with outdated skills the most likely to be cut.
-
Executives think AI can supercharge cybersecurity teams – analysts aren’t convincedNews As organizations adopt AI, frontline cybersecurity workers are worried AI will reduce job security and increase their manual workload
-
IDC warns US tariffs will impact tech sector spendingNews IDC has warned that the US government's sweeping tariffs could cut global IT spending in half over the next six months.
-
US government urged to overhaul outdated technologyNews A review from the US Government Accountability Office (GAO) has found legacy technology and outdated IT systems are negatively impacting efficiency.
-
US proposes new ‘know-your-customer’ restrictions on cloud providersNews The US aims to stifle Chinese AI competition with new restrictions on cloud providers to verify foreign data center users
-
SEC passes rules compelling US public companies to report data breaches within four daysNews Foreign entities trading publicly in the US will also be held to comparative standards
-
US ‘Tech Hubs’ drive aims to boost innovation in American heartlandsNews The development of the hubs will could help drive regional innovation and support for tech companies
-
Biden sets June deadline for $42 billion broadband funding outlineNews The announced deadline come prior to a much-awaited update to the FCC's US broadband map, giving a clearer image of the internet challenges facing the nation
-
FCC eyes formal ban of all Huawei, ZTE equipment salesNews Approaching the deadline to pass such a ruling, companies such as Kaspersky face similar restrictions
-
White House proposes fresh Bill of Rights to limit AI threatsNews The Biden administration is hoping it will act as a guide for the development and use of AI that protects citizens from harms
