The National Cybersecurity Strategy Implementation Plan Impacts Agencies and Industry

The White House recently published their anticipated National Cybersecurity Strategy Implementation Plan (NCSIP), outlining more than 65 “high-impact initiatives” that range in scope from combatting cybercrime to building a skilled cyber workforce. The plan’s initiatives have implications for industry as well as federal agencies that rely on commercial IT and cybersecurity products and services.

The new NCSIP follows the same structure as the National Cybersecurity Strategy (NCS), which the Biden Administration released in March, and is intended to provide a roadmap and momentum to the strategy. Leadership for the initiatives is spread among 18 federal agencies, with the Office of the National Cyber Director (ONCD) coordinating efforts under the plan and the Office of Management and Budget (OMB) ensuring agency budgets are aligned with NCSIP initiatives. The Cybersecurity and Infrastructure Security Agency (CISA) will set and update much of the civilian agency-wide cybersecurity policies and initiatives. The IP will be updated annually, based on progress and changing needs.

There are numerous elements of the NCS and NCSIP that may be of interest to both federal contractors and suppliers of IT goods and services which federal agencies procure. Some agency efforts will require industry expertise and contracted support to achieve success.

• Federal Cybersecurity Center Capability Review - By the end of Q4 FY23, the ONCD will finish a review of Federal Cybersecurity Centers and related centers to identify capability gaps and other findings. ONCD will lead the effort to integrate these centers and increase collaboration at speed and scale.
• Agency IT Modernization - OMB is leading the development of a multi-year lifecycle plan to accelerate IT modernization at federal civilian agencies, prioritizing efforts to eliminate legacy systems, “which are costly to maintain and difficult to defend.” The deadline for the plan is Q4 FY24 OMB and CISA will develop an action plan to secure unclassified civilian agency systems “through collective operational defense,” and expand the use of centralized shared cybersecurity services, enterprise license agreements and software supply chain risk mitigation. The plan is due in 2Q FY24.
• Increasing Cloud Services Cybersecurity - The Department of Commerce is tasked with updating federal risk-based rules, standards and procedures for cloud Infrastructure-as-a-Service (IaaS) providers and resellers to address known vulnerabilities and malicious activities. The IP sets Q4 of FY 2023 for the DOC to publish a related Notice of Proposed Rulemaking.
• Secure-by-Design Software and Hardware - CISA is charged with collaborating across sectors and stakeholders to drive the development and adoption of secure-by-design and secure-by-default software and hardware practices across the private sector. Completion is set for Q4 FY24.
• Shifting Software Security Liability - The NCS seeks to shift liabilities for cybersecurity to software producers and service providers. Under the IP, the ONCD will host a legal symposium by Q2 FY24 to explore approaches to a new software liability framework. CISA is working to advance the implementation of a software bill of materials (SBOMs) framework by Q2 FY25.
• Incident Response Coordination - CISA is updating the National Cyber Incident Response Plan (NCIRP), to refine and strengthen cross-sector coordination in responding to cyber incidents. The update is to clarify for external partners the roles and capabilities of federal agencies in incident response and recovery. The update is scheduled to be completed in Q1 FY25.
• Quantum-Resistant Federal Systems - OMB and the National Security Agency (NSA) are to prioritize the transition of federal systems and networks to quantum-resistant, cryptography-based environments and develop mitigation strategies to provide cryptographic agility for future risks. This effort is to be completed in Q1 FY25 for vulnerable federal networks and systems and in Q3 FY25 for National Security Systems (NSS).
• Internet of Things Cybersecurity - By Q4 FY23, the Office of Federal Procurement Policy (OFPP) and the Federal Acquisition Regulatory (FAR) Council are to propose FAR changes to improve the cybersecurity of Internet of Things (IoT) devices, etc. aligned with the Internet of Things Improvement Act of 2020. In parallel, the National Security Council is developing an IoT security labeling program, of which the NSC is to “identify the broad contours” and name a lead agency by the end of Q4 FY23.
• Cyber-Related Acquisition Rules - By Q1 FY24, the Office of Federal Procurement Policy (OFPP) and the Federal Acquisition Regulatory (FAR) Council are to release draft rules and proposed changes to the FAR, addressing cybersecurity incident reporting, standard cybersecurity contract requirements and secure software requirements. Public comments will be considered.
• Prosecuting Cyber-Fraud by Contractors - The Department of Justice is charged with expanding their Civil Cyber-Fraud Initiative (CCFI) efforts to identify and prosecute under the False Claims Act companies that fail to comply with cybersecurity requirements included in their federal contracts or grants. The effort is due in Q4 FY25.
• Harmonizing Cyber Regulations - The NCS set out to develop mandatory cybersecurity requirements and regulations for critical infrastructure protection under its Defend Critical Infrastructure pillar. On the heels of the NCSIP release, the ONCD subsequently released a request for information (RFI) seeking public input on cybersecurity regulatory harmonization and regulatory reciprocity, advancing one of the 69 initiatives in the NCSIP. The RFI gives industry partners an opportunity to provide feedback to the federal government on the current state of cyber regulations, including challenges with regulatory overlap and inconsistency so that the ONCD may “explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements,” according to a fact sheet release by the ONCD announcing the RFI. The initiative advances the NCS commitment to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” Comments may be posted via Regulations.gov. Responses are due by 5:00 p.m. EDT on September 15, 2023.

Aligning Agency Budgets with the NCS

The NCSIP does align with OMB’s FY 2025 cybersecurity budget priorities, which laid out guidance for agencies to use in their budget preparations expected to be released in February 2024. Both the NCSP and its IP sustain themes that supported OMB’s FY 2024 cybersecurity budget guidance to agencies. One would anticipate that Congress will refine and support, via appropriations, these cyber initiatives and others as the overall strategy to improve the federal cybersecurity posture continues to evolve.