Terry Gerton The Trump administration issued its long-awaited Cyber Strategy for America in early March. ITI was involved in providing input to that and commented on it when it came out. So you’ve had a few weeks to dig into it a little bit more. From ITI’s perspective, what are the big points around industry implementation in this strategy?
John Miller Well, first of all, at the top line, from the ITI perspective and the industry perspective, I think there’s a lot to like in the strategy. It’s certainly very positive. I think if we look at it in particular, kind of in comparison to some of the prior strategies we’ve seen, it really seems to be focused on empowering the private sector in a few different ways. Shifting from compliance to a more operational partnership model is one of the ways that I think it’s doing that. There’s a pillar around deregulation and more common-sense rules, which is a bit of a departure from some of what we saw in the last administration where there were software liability mandates that were put into effect. And I think there are really some market opportunities around federal procurement because there’s a major focus on modernizing federal networks in the strategy, which is to create a significant demand for various high-tech solutions, not only AI and quantum, but things like zero trust. I kind of didn’t exactly answer your question about implementation, because I think that’s probably one of the questions as to what the implementation details are, because unlike in some of the previous strategies that we’ve seen, there at least to date has not really been an implementation plan published, right? So I think that’s one of questions that is lingering in some folks’ minds.
Terry Gerton Well, you laid out a great roadmap there. I want to take each of those traffic turns one at a time. Let’s start with deregulation, because ITI has long argued that the fragmentation of cyber regulations really slows down both compliance and cybersecurity. Where does this strategy meaningfully change how federal cyber requirements are coordinated and maybe reduced in practice?
John Miller For as long as I’ve been working in cybersecurity, which is too long, probably, I think we’ve been talking about regulatory streamlining and the reality is that … a lot of times compared to say Europe, the U.S. is not known as being a regulatory environment perhaps on technology regulation, but that’s really not the case in cyber. There are lots and lots of different cyber regulations, particularly when we layer on the various sectoral regulators and, you know, that the federal procurement space and everything like that. So this strategy is very overtly saying, we want to promote common-sense regulation and that the U.S. is going to aim to streamline cyber regulations and reduce compliance burdens on the private sector, with the idea being to allow for greater agility against evolving threats. What does that mean in practice? One thing is it says, we want to get rid of costly compliance checklists and move to risk-based security, potentially streamlining overlapping regulations from agencies like CISA and the SEC. I think on that note in particular, one of the potentially really positive aspects is whether we see in the implementation actual streamlining of security incident notification regulations. That was an area that was identified by the last administration as essentially — they had a separate incident reporting council that they stood up and they tallied over 30 different incident reporting notification regulations. And if we can streamline even those alone, it would actually do a lot of good for industry. I mean, one of the questions is what’s going to happen to the SEC rule that was put forward during the last administration. Another question is what is going to happen to CIRCIA, which was the big incident notification rule that CISA has been working on for a few years and which is now overdue. So in the security incident notification space, it’s an area where we could definitely see a lot of progress. I think that the other one that’s noteworthy, particularly when we think about what we saw focus on during the last administration, is around software and software liability. You’ve actually seen a walking back of, for instance, the OMB memo that required contractors to submit a form and some of those related types of requirements. So, you know potentially a good thing. And I’m constantly hedging a little bit here because again, we haven’t necessarily seen what replaces some of these things and how they’re implemented. But I think there’s a lot of optimism that, from an industry perspective, we’ll be in a better place than where we started at the beginning of the administration.
Terry Gerton I’m speaking with John Miller. He’s general counsel and senior VP of policy at the Information Technology Industry Council. Well, John, let’s continue in that discussion of the regulatory environment, because in a world where you have less regulation, that may be good for innovation, that may good for technology advancement, but you still need a traffic cop to kind of keep everybody aligned and moving in the same direction. And the strategy places a renewed emphasis on coordination through the Office of the National Cyber Director. From industry’s perspective, is ONCD staffed and capable? Do they have the capacity to provide that kind of oversight in this new environment?
John Miller I think they do. They’re certainly not fully staffed up if you compare, again, to the last administration, but I think that they would tell you that they’re being nimble and efficient in that regard. I think we’re finally seeing ONCD’s role as envisioned in the legislation that launched it a few years back starting to materialize. It never quite did in the last administration because you had ONCD, you had CISA, you had the National Security Council and prominent figures leading all three of those agencies. And I think sometimes from an industry perspective, it was not necessarily clear if there was one traffic cop, as you said; and perhaps there were three. And again, there’s nothing wrong with that necessarily, but I do think we have more clarity now as to who is in charge and so just that alone, I think is positive. On the on the flip side, clearly CISA is still going to have a key operational role in the implementation of various parts of the strategy and unfortunately we still haven’t kind of seen a fully staffed-up CISA yet during this administration. There’s still no permanent director and we’ve obviously had a couple of different government shutdowns, including the ongoing shutdown affecting all of DHS, which has further depleted their resources. So I’m kind of more concerned with the resources on the CISA side than I am on the ONCD side.
Terry Gerton Thinking about those two organizations, you mentioned early on the operational partnership model, 80% of critical infrastructure is owned by the private sector, and yet the key government organizations that are needed to partner with industry might be a little less functional than we’d hope. How is this partnership going to play out now?
John Miller One of the other defining features of the strategy is that it’s really leaning in on the importance of private sector partners and operational collaboration. Not only in critical infrastructure, but there’s discussion in there about offensive cyber and quote unquote, unleashing the private sector. I’ll put that to the side because that raises a separate set of questions. But getting back to critical infrastructure, one of the things that has hindered operational collaboration, to be candid, during the Trump administration is that we saw a key authority paused, if you will. The CIPAC authority is the Critical Infrastructure Partnership Advisory Council, which I’m very familiar with because I’ve participated in various CIPAC structures, you know, over the years, including the sector coordinating council, supply chain task force, you know, as well as others. It’s my understanding that those authorities are going to be coming back online very soon. You know, again, I’ll hedge in the sense that nothing is guaranteed until we actually see it happen. But I think that if those authorities come back online, that from a private sector standpoint, we’re all kind of on standby and ready, willing and able to roll up our sleeves and work with the government to CISA, ONCD, and other federal partners across the critical infrastructure sector risk management agencies. We’re ready to go and really roll up our sleeves and implement the plan. And I think that, based on conversations with ONCD, I mean, they know that the hard work remains ahead now that strategy is out. And I think there’s a great willingness to partner and to do that.
Terry Gerton Well, John, you just put a pin in the other point you mentioned up top, which was market opportunities and technology. The strategy highlights AI-enabled cyber defense, supply chain, quantum-related risks. Which of those will require the most near-term coordination between agencies and industries to get them right?
John Miller Probably a cop-out to say that we’re going to need close partnership on all of them. I guess I would say that, I mean, maybe I’m biased having, again, done so much work on supply chain over the years, but I really do think that to kind of get supply chain right, we really need tight cooperation and coordination amongst the government and the private sector. There are a lot of different reasons for that, but you know, primary amongst them is that we are, as the technology industry and certainly ITI members, you know, we’re all dealing with large, complex, globally distributed supply chains and the government just does not have visibility and insight into those supply chains in the same way that the private sector partners do. And so that’s why, you know, partnering together on initiatives like the supply chain task force, I think have been successful because again, it’s kind of, one plus one equals more than two in that regard, is what I would say. I mean, again, I don’t want to minimize the importance of collaboration on AI or quantum either. I mean it’s going to be important across the board, but I just think because of the nature and complexity of supply chains, the government needs the private sector, you know, standing shoulder-to-shoulder with them to really address those important issues.
Terry Gerton John, you’ve been pretty clear in our discussion this morning that we don’t have the implementation plan that would go along with this strategy. But when you think about the vision that’s laid out here, what would you be looking for in terms of concrete actions or signals to tell you that the cyber strategy is being implemented in a way that actually improves security outcomes?
John Miller I mean, it’s a great question and to be clear, at least as I understand it, just because there has not been an implementation plan published doesn’t necessarily mean that an implementation planned doesn’t exist. I’ve heard different things in this regard, but I mean it could be that there is an implementation and that they’re just simply not going to publish it for one reason or another. That might make it a little bit trickier for some in industry, but I do think that one of the things that we’ll be looking for to know that the plan is being implemented, particularly with respect to how prominent private-sector partnership is featured in it, is that I think private sector partners in critical infrastructure sectors and the technology sector should be hearing from the government, from ONCD, from others on, you know, what they can do, how they can help, how the government wants to or aspires to work with the private sector. I mean, it’s really just a big question as to exactly what we’re going to see. But if the strategy is being implemented as it’s designed, companies, and again, when we’re talking about critical infrastructure, defense contracting, cybersecurity services, I think, they’re going to see heightened government engagements and I think that’s going to mean that companies are going to have to have skin in the game too, in trying to help, you know, make this strategy and the goals a reality. And again, a lot of those goals are things that companies have asking for for a long time, right, like easing regulatory compliance burdens and things like that. But, you know, it’s not it’s not a free ride is what I would say.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
