The US federal government’s new implementation plan for the ongoing National Cybersecurity Strategy overhaul has arrived, packed with 65 initiatives for both federal and civilian agencies that will unfold over the course of the next three years.
The implementation plan has been designed with a high degree of flexibility, open to regular reviews and changes due to emerging threats. Federal agencies have already been subject to many of these changes since the Biden administration took over, but companies with federal government contracts can expect a flurry of new requirements to roll out in the near future.
Implementation plan already set for 2024 overhaul
While the cybersecurity strategy initiatives range from some that are already completed to projects that run into 2025 and 2026, the implementation plan is already scheduled for a major review in about nine months.
The central focus of the implementation plan seems to be mapping out those projects that require multiple federal agencies to coordinate, bringing everything under the general overview of the Office of the National Cyber Director (ONCD). Some items, such as the establishment of a federal emergency cyber insurance fund, may be in place by next year. Others, such as IoT consumer labeling standards, software bill of materials (SBOM) requirements and tougher cybersecurity standards for vendors that receive federal money, will likely play out well past the 2024 election.
While the new cybersecurity strategy means eventual new requirements for government vendors, particularly those running legacy systems that can’t be properly updated any more, it does exclude some elements that security analysts would almost certainly want to see. One is a general lack of requirements for proven secure software and code to be in place right from the start, though this could change over time. Another related but converse issue is the heavy focus on patching requirements, something that could very well overwhelm IT departments. And there may be too much of a focus on large suppliers, allowing smaller vendors (who are just as capable of being a breach entry point) to slip through the regulatory cracks.
New cybersecurity strategy meets with general approval
Despite some points that could stand fine-tuning, the cybersecurity strategy implementation plan does offer quite a few clear improvements. One point that is quite popular is the expansion of aggressive campaigns of disruption against foreign criminal threat actors, particularly ransomware groups. While one is constantly pouring buckets of water on new fires in this particular world, law enforcement actions of this sort in recent years have made the biggest threat groups uncomfortable and kept their time as the kings of the hill to a minimum.
And while private industry connected to the federal government will be asked to take on more responsibility (and expense), the implementation plan’s commitment to streamlining and unifying regulations over a relatively short period will also likely provide some relief.
In total, 18 federal agencies will be involved with new cybersecurity strategy initiatives. The ONCD will be issuing annual reports on progress in addition to being the point agency on developing regulatory harmonization guidance. The agency is also developing incentive systems to help improve cybersecurity beyond the present reach of federal mandates.