| Entities | Biden White House (21) |
| Topics and Issues | Cybersecurity (7) |
In July 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (NCSIP). A Covington blog notes that
The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year. This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually. Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):
-
-
- Defending critical infrastructure;
- Disrupting and dismantling threat actors;
- Shaping market forces to drive security and resilience;
- Investing in a resilient future; and
- Forging international partnerships to pursue shared goals.
-
The blog continues…
Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.
- By the end of FY2023, the Administration plans to implement the government’s Internet of Things (“IoT”) security labeling program and – in line with the IoT Cybersecurity Improvement Act of 2020 –propose corresponding changes to the Federal Acquisition Regulation (“FAR”). The Administration also plans to publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-Service providers and resellers, in line with E.O. 13984.
- In the first quarter of FY2024, the Administration plans to propose FAR changes required under E.O. 14028 (the “Cyber EO”) regarding standardizing cybersecurity requirements for unclassified federal information systems (FAR Case 2021-019), cyber threat and incident reporting and information sharing (FAR Case 2021-017), and supply chain software security (FAR Case 2023-002). The Department of Energy, working with CISA and the Office of the National Cyber Director (“ONCD”), will also “drive adoption of cyber secure-by-design principles by incorporating them into Federal projects.” In the second quarter of FY2024, ONCD – as part of the Administration’s efforts to shift liability for insecure software products and services from users to producers and vendors – plans to propose a plan to harmonize baseline cybersecurity requirements for critical infrastructure and to develop a “long-term, flexible, and enduring software liability framework” with an “adaptable safe harbor.”
- By the first quarter of FY2025, the National Institute of Standards and Technology (“NIST”) plans to publish Cybersecurity Framework 2.0 to keep pace with advancing technology and evolving threats. During the second quarter of FY2025, CISA will work with key stakeholders to identify and reduce gaps in software bill of materials (“SBOMs”) and explore requirements for a globally-accessible database for end-of-life/end-of-support software. By the end of FY2025, CISA will issue final rules in line with the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”). The Department of Justice (“DOJ”) will also be tasked with expanding its efforts to leverage the False Claims Act to pursue civil actions against government contractors who fail to meet cybersecurity obligations.
- By the first quarter of FY2026, CISA will lead a cross sector effort to review public-private collaboration mechanisms to ensure that there are effective information sharing platforms and processes in place to address emerging cyber threats.
The blog also has a table that provides an overview of NCSIP initiatives, arrayed in the order that the Administration plans to complete each effort.