The National Cybersecurity Strategy Implementation Plan (NCSIP) includes over 65 Federal initiatives, from combatting cybercrimes to building a skilled cyber workforce equipped to excel in an increasingly digital economy.
The Biden-Harris Administration recently released its National Cybersecurity Strategy, which calls for two fundamental shifts in how the U.S. allocates roles, responsibilities, and resources in cyberspace:
- Ensuring that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk
- Increasing incentives to favor long-term investments into cybersecurity
Last week, the Administration released The National Cybersecurity Strategy Implementation Plan (NCSIP), which is intended to ensure transparency and a continued path for coordination. It details more than 65 high-impact Federal initiatives, from protecting American jobs by combatting cybercrimes to building a skilled cyber workforce equipped to excel in an increasingly digital economy.
Each of the NCSIP initiatives is assigned to one of 18 responsible agencies and has a timeline for completion. The Office of the National Cyber Director (ONCD) will coordinate activities under the plan, including an annual report to the President and Congress on the status of implementation, and partner with the Office of Management and Budget (OMB) to ensure funding proposals in the President’s Budget Request are aligned with NCSIP initiatives.
Below are some sample initiatives from the NCSIP, which is organized by the five NCS pillars and strategic objectives.
Defending Critical Infrastructure
Update the National Cyber Incident Response Plan: During a cyber incident, it is critical that the government acts in a coordinated manner and that private sector and SLTT partners know how to get help. The Cybersecurity and Infrastructure Security Agency (CISA) will lead a process to update the National Cyber Incident Response Plan to more fully realize the policy that “a call to one is a call to all.” The update will also include clear guidance to external partners on the roles and capabilities of Federal agencies in incident response and recovery.
Disrupting and Dismantling Threat Actors
Combat Ransomware: Through the Joint Ransomware Task Force, which is co-chaired by CISA and the FBI, the Administration will continue its campaign to combat the scourge of ransomware and other cybercrime. The FBI will work with Federal, international, and private sector partners to carry out disruption operations against the ransomware ecosystem, including virtual asset providers that enable laundering of ransomware proceeds and web fora offering initial access credentials or other material support for ransomware activities. A complementary initiative, led by CISA, will include offering resources such as training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets of ransomware, like hospitals and schools, to make them less likely to be affected and to reduce the scale and duration of impacts if they are attacked.
Shaping Market Forces and Driving Security and Resilience
Software Bill of Materials: Increasing software transparency allows market actors to better understand their supply chain risk and to hold their vendors accountable for secure development practices. CISA continues to lead work with key stakeholders to identify and reduce gaps in software bill of materials (SBOM) scale and implementation. CISA will also explore requirements for a globally-accessible database for end of life/end of support software and convene an international staff-level working group on SBOM.
Investing in a Resilient Future
Drive Key Cybersecurity Standards: Consistent with the National Standards Strategy, the National Institute of Standards and Technology (NIST) will convene the Interagency International Cybersecurity Standardization Working Group to coordinate major issues in international cybersecurity standardization and enhance U.S. federal agency participation in the process. NIST will also finish standardization of one or more quantum-resistant publickey cryptographic algorithms.
Forging International Partnerships to Pursue Shared Goals
International Cyberspace and Digital Policy Strategy: Cyberspace is inherently global, and policy solutions must reflect close collaboration with our partners and allies. The Department of State will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities. State will also work to catalyze the development of staff knowledge and skills related to cyberspace and digital policy that can be used to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations.
House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN) and Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) issued the following statement on the NCSIP:
“We applaud the Office of the National Cyber Director (ONCD) for the prompt release of the National Cybersecurity Strategy Implementation Plan. As we stated when the Strategy was released in March, a strategy is meaningless unless properly implemented. We are pleased to see specific responsible agencies and contributing entities called out in the plan and quantifiable timelines for completion. We look forward to seeing how ONCD works with the Office of Management and Budget to appropriately address budgetary considerations for each initiative.
“We remain steadfast in our belief that the Biden administration must streamline existing regulations while working with the private sector to identify new opportunities for partnership rather than punishment. Implementation of this strategy must be a collaborative process that aims to ease regulatory burden while maintaining strong cybersecurity practices. We intend to exercise strict oversight on CISA’s efforts as the responsible agency for at least 10 initiatives and a contributing entity to at least 19 initiatives, as it continues to execute its federal cybersecurity and critical infrastructure resilience mission.”