Implementation plan turns US National Cybersecurity Strategy into concrete objectives | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The White House released its implementation plan for President Biden’s National Cybersecurity Strategy, broadly breaking down how it plans to accomplish more than 65 tasks involving 18 agencies outlined by the sweeping plan announced in March. The National Cybersecurity Strategy Implementation Plan (NCSIP) is a roadmap to realize the strategy’s “bold affirmative mission” and ensures transparency and a continued path to coordination, the White House said.

“If the strategy represents the president’s vision for the future, then this implementation plan is the roadmap to get there,” Acting National Cyber Director (NCD) Kemba Walden told reporters. It is a “living document,” she said, parts of which have already been achieved, with the White House planning to update it next year and annually after that.

The White House said that the Office of the National Cyber Director (ONCD) will coordinate activities under the plan, report to the President and Congress annually on the status of implementation, and partner with the Office of Management and Budget (OMB) to ensure funding proposals in the President’s Budget Request are aligned with NCSIP initiatives.

The NCSIP will “turn strategy into policy measurable objectives,” Mark Montgomery, senior director of the Center on Cyber and Technology Innovation and senior fellow at the Foundation for Defense of Democracies (FDD), tells CSO.

“It’s pretty unusual to see as detailed of an implementation plan published for a national strategy. The administration and the ONCD [Office of the National Cybersecurity Director] should get credit for pushing through and publishing an implementation plan like this,” Michael Daniel, head of the Cyber Threat Alliance and former White House cyber official, tells CSO.  

Five cybersecurity strategy pillars, with a new sixth element

Like the strategy itself, the NCSIP is structured according to five pillars:

  • Defending Critical Infrastructure
  • Disrupting and Dismantling Threat Actors
  • Shaping Market Forces and Driving Security and Resilience
  • Investing in a Resilient Future
  • Forging International Partnerships to Pursue Shared Goals.

The NCSIP adds a sixth element not contained in the original strategy: Implementation-wide Initiatives, which calls for future reporting on strategy implementation progress, applying lessons learned from implementing the strategy, and ensuring federal budgetary guidance aligns with the strategy’s implementation.

Every initiative under each pillar is assigned to a responsible agency, with other contributing agencies designated where relevant, along with a completion date. Most completion dates occur in 2024, although a handful of initiatives face deadlines throughout 2025.

For example, under pillar one, Defend Critical Infrastructure, the first strategic objective is Establish Cybersecurity Requirements to Support National Security and Public Safety. Under this objective, the ONCD, in coordination with the OMB, will work with regulators to identify opportunities to harmonize baseline cybersecurity requirements for critical infrastructure. The agency responsible for this initiative is ONCD, with the Federal Communications Commission (FCC) and OMB designated as contributing entities. The completion date for this initiative is 1Q FY24.

Accelerating movement that is already underway

Most of the objectives in the NCSIP represent forward momentum on ongoing, softer cybersecurity processes and procedures, such as collaboration and coordination, that the US government already has underway. “What I think is good about it is that there are concrete steps under each of the major objectives for how they’re going to try to make progress against that objective,” Montgomery says, even if the steps don’t produce definitive outcomes.

“We’ve had a lot of cyber strategies in the past, including going back to 2003, and they’re great,” Chris Painter, president of the Global Forum for Cyber Excellence Foundation Board and a former government official who served as the State Department’s first cyber diplomat, tells CSO. “They’re great documents, aspirational in many ways, but execution has always been an issue. So having a plan is important to try to force that next step, the implementation. I think the process of setting practical goals that you’re trying to achieve is itself a way to get the government to move and to collaborate.”

The sixth section of the NCSIP that relates to funding agencies is critical to executing the objectives. “They clearly make the link to resources and align budgets to actually support the strategy,” Daniel says. “When I worked at OMB, we used to joke that a strategy without resources is a hallucination.”

The completion deadlines in the plan push the execution of the strategy forward. “When you set deadlines, the good thing about that is it’s a forcing function to get people to meet those deadlines,” Painter says.

But it’s unrealistic to hope that Biden’s strategy can obtain significant cybersecurity actions within the one- to two-year windows encompassed by the plan. “Most of the national strategy objectives are things that are going to be difficult ever to declare that you’re completely a hundred percent done,” Daniel says.

That’s why metrics and annual reporting built into section six of the plan are essential, according to Daniel. “What I’d like to see down the road is the cadence for the reporting and some good honest assessment of, ‘Hey, we fell behind in this. We fell behind on this schedule. Here’s why.’ Here’s the newly revised schedule,’” he says.

Challenges to the National Cybersecurity Strategy ahead

One key topic missing from the NCSIP is any mention of cloud computing, which could still be addressed in future iterations. “The major thing I don’t see is more aggressively tackling the issue of security in the cloud,” Montgomery said. “Twenty years of a voluntary partnership has not gotten us more secure moving more things to the cloud. There’s no regulation. We need to label the cloud a critical infrastructure, assign a sector risk management agency, assess the risk, and decide if we need to regulate or work closely with [cloud providers] for self-standardization. We probably missed an opportunity there to start tackling that. And I don’t doubt that they tried, but that’s going to have interagency challenges.”

Although the interagency process that led to the plan’s creation appears to have worked well, some interagency coordination bumps could appear down the road. “The idea is they should be playing together as an orchestra some, but sometimes there’s overlap, and there’s tussles among agencies,” Painter says. “What you’d almost like to see is an implementation plan for each of the initiatives from the lead agencies,” although he adds that’s an implausible scenario. “I think it’s going to be just an interesting process to watch and see how the agencies are going to address these things.”


Click Here For The Original Source.

National Cyber Security