On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.

Pillar One: Defend Critical Infrastructure

The first pillar of the Implementation Plan focuses on initiatives aimed at supporting national security and public safety. It includes a National Security Council (NSC) initiative to establish cybersecurity requirements across critical infrastructure sectors, a National Institute of Standards and Technology (NIST) initiative to increase agency use of frameworks and international standards (such as the NIST Cybersecurity Framework (CSF)), and a Cybersecurity and Infrastructure Security Agency (CISA) initiative to scale public private partnerships. Notably, it also includes a CISA initiative to issue a final rule under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). As we have previously written, CIRCIA directs CISA to publish a notice of proposed rulemaking within 24 months of the date of the enactment of CIRCIA, and that a final rule should be issued no later than 18 months after publication of the proposed rulemaking. Under the Implementation Plan this should be completed by September 30, 2025.

Pillar Two: Disrupt and Dismantle Threat Actors

The second pillar of the implementation plan lists a number of legislative and regulatory initiatives, with short deadlines, aimed at addressing and preventing cybercrime. These include an initiative for the Department of Defense (DOD) to publish an updated cyber strategy by first quarter of fiscal year 2024 (1Q FY24) (i.e., October 1 – December 31, 2023); a Department of Justice (DOJ) initiative to work with interagency partners to propose legislation to disrupt and deter cybercrime by 4Q FY23 (i.e., July 1- Sept. 30, 2023); and a Department of Commerce initiative to publish a Notice of Proposed Rulemaking on requirements standards and procedures for Infrastructure-as-a-Service (IaaS) providers and resellers also by 4Q FY23. (The federal fiscal year runs October 1 – September 30.)

Pillar Three: Shape Market Forces to Drive Security And Resilience

Perhaps most significantly, the third pillar includes a strategic objective to “shift liability for insecure software products and services” with a directive for the Office of the National Cyber Director (ONCD) to host a symposium to “explore approaches to develop a long-term flexible and enduring software liability framework.” As stated in the Implementation Plan, “to begin to shape standards of care for secure software development,” the Administration will “drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” The completion date for this initiative is 2Q FY24.

Other Pillar Three strategic security objectives and initiatives include:

  • Driving the Development of Secure IoT Devices. This strategic objective includes an initiative for the Office of Management and Budget (OMB) to implement Federal Acquisition Regulation (FAR) requirements in line with the Internet of Things Cybersecurity Improvement Act of 2020, which we have written about here. The completion date is 4Q FY23.
  • Leveraging the False Claims Act to Improve Vendor Cybersecurity. Under this initiative the DOJ will expand efforts to “identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants[.]” The strategy notes that the Civil Cyber Fraud Initiative (CCFI), using DOJ authorities under the False Claims Act, can pursue civil actions against government grantees and contractors “who fail to meet cybersecurity obligations,” such as by “providing deficient cybersecurity products, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.”  The completion date is 4Q FY25.
  • Exploring a Federal Cyber Insurance Backstop. Under this initiative by the Department of Treasury’s Federal Insurance Office, in coordination with CISA and ONCD, will “assess the need for a Federal insurance response to catastrophic cyber events” that would “support the existing cyber insurance market.” The completion date is 1QFY24.

Pillar Four: Invest in a Resilient Future

A notable strategic objective of the fourth pillar is to “secure the technical foundation of the Internet.” The initiatives under Pillar Four include an OMB initiative to lead the adoption of network security best practices including prioritizing encryption of Domain Name System (DNS) requests, with a completion date of 2Q FY24. (We have previously written about vulnerabilities in software and firmware implementing DNS to protect against damaging data loss and insider threat.) The pillar also includes an ONCD initiative to promote the adoption of “memory safe programming languages” through the Open-Source Software Security Initiative (OS3I) (completion date 1Q FY24), and a NIST initiative to address Border Gateway Protocol (BGP) and IPv6 security gaps through international standards (completion date 2Q FY24). The ONCD will also lead an initiative to develop a National Cyber Workforce and Education Strategy (completion date 2Q FY24).

Pillar Five: Forge International Partnerships to Pursue Shared Goals

The fifth pillar in the Implementation Plan includes strategic objectives to publish an International Cyberspace and Digital Policy Strategy, expand international partners’ cyber capacity through operational law enforcement collaboration, and establish flexible foreign assistance mechanisms to provide cyber incident response support quickly. It also includes an initiative by the DOD, DOJ, and FBI, to “hold irresponsible states accountable when they fail to uphold their commitments.”

Wide Ranging Initiatives

The Implementation Plan includes more than 65 initiatives, only some of which are highlighted in this post. While the Implementation Plan does not currently create any new or binding requirements on businesses, it provides a helpful roadmap to understand the federal government’s cybersecurity priorities, and agency timelines for completing specific legislative proposals and rulemaking, and enforcement policies all with significant business impact on cybersecurity. Organizations impacted by these initiatives, including financial services, energy, health, and software and technology providers, should assess the impact of the Plan on their cybersecurity operations, particularly as it pertains to regulatory compliance and any potential safe harbor. EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and to identify recognized security practices that may bolster practical security and improve compliance defensibility.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.