May 14, 2024

White House Releases National Cybersecurity Strategy Implementation Plan, Version 2

Share

On May 7, 2024, the Biden Administration released the second version of the National Cybersecurity Strategy Implementation Plan as well as the first Report on the Cybersecurity Posture of the United States. These actions reflect the Administration’s continued focus on enhancing the cybersecurity of critical infrastructure and software as well as its work to counter both established threats like ransomware and emerging threats from artificial intelligence. Companies across sectors should continue to monitor how implementation of the National Cybersecurity Strategy and evolving risks affect how best to respond to cyber threats and manage associated legal risks.

The National Cybersecurity Strategy Implementation Plan

The Biden Administration released the second version of the National Cybersecurity Strategy Implementation Plan (“Implementation Plan”) on May 7, 2024. The first version was published on July 13, 2023. It described more than 65 initiatives to achieve the objectives set forth in the Biden Administration’s National Cybersecurity Strategy, which called for (1) rebalancing the responsibility to defend cyberspace towards the “most capable and best-positioned actors” in the public and private sectors and (2) realigning incentives to favor long-term investments in cybersecurity. The second version builds on this goal, discussing 100 initiatives that are separately assigned to 18 federal agencies for implementation. The Office of the National Cyber Director (“ONCD”) is responsible for coordinating the execution of the Implementation Plan.

New Initiatives

The second version added 31 initiatives under each representative “pillar” of the National Cybersecurity Strategy. These additions reflected a focus on supply chain risks, public-private collaboration on cybersecurity issues, ransomware threats, software vulnerabilities, and other areas.

Some of the new initiatives added to the pillars:

  • Pillar One, “Defend Critical Infrastructure”
    • “Promote adoption of cybersecurity best practices across the healthcare and public health sector”
    • “Promote cyber supply chain risk management (C-SCRM) and encourage effective enterprise-wide sharing of supply chain risk information”
  • Pillar Two, “Disrupt and Dismantle Threat Actors”
    • “Implement the 2023 DoD Cyber Strategy”
    • “Increase collaboration between private-sector entities and Federal agencies to disrupt malicious cyber activity”
    • “Disrupt ransomware crimes through joint operations”
  • Pillar Three, “Shape Market Forces to Drive Security and Resilience”
    • “Assess the feasibility of approaches to understand open-source software security risk”
    • “Explore approaches to develop a long-term, flexible, and enduring software liability framework”
  • Pillar Four, “Invest in a Resilient Future”
    • “Promote secure and measurable software solutions across the building blocks of cyberspace”
    • “Drive the development and adoption of cybersecurity principles for electric distribution and distributed energy resources (DER) in partnership with energy sector stakeholders”
    • “Promote skills-based hiring practices” for the cyber workforce
  • Pillar Five, “Forge International Partnerships to Pursue Shared Goals”
    • “Implement the International Cyberspace and Digital Policy Strategy”
    • “Develop guidance for secure development and manufacturing of semiconductors”
Going Forward

As the year progresses, agencies will continue working on the initiatives contained in version two of the Implementation Plan. In a concurrent report (discussed below), ONCD stated that this coordination will require “efforts to enhance the capabilities of Sector Risk Management Agencies, strengthen the national cyber workforce, implement incident reporting requirements directed by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), enhance the speed and scale of adversary disruption campaigns, improve analytics and information sharing mechanisms, continue to invest in quantum information science, and prioritize cybersecurity in foreign assistance mechanisms.”

Future actions will likely continue to shape the private sector through new regulatory requirements, guidelines, and opportunities for private sector input.

The Report on the Cybersecurity Posture of the United States

ONCD concurrently released the 2024 Report on the Cybersecurity Posture of the United States (“Report”). The Report—the first of its kind—discusses five trends in the strategic environment of emerging technologies and cybersecurity risks during the previous year:

(1) evolving risks to critical infrastructure

(2) ransomware

(3) supply chain exploitation

(4) commercial spyware

(5) artificial intelligence

The Report focuses on the United States’ current cybersecurity posture, the effectiveness of its cyber policy and strategy, and implementation of that policy and strategy by the federal government, including efforts taken pursuant to the National Cybersecurity Strategy.

Risks

In the Report, ONCD referenced threats posed by state and non-state actors, risks to critical infrastructure from the People’s Republic of China and other foreign adversaries, supply chain exploitation, ongoing attacks from prolific ransomware groups, emerging digital technologies, and other evolving areas of risk to the nation’s cybersecurity posture.

Strategy

Specific efforts undertaken by the federal government, as highlighted in the Report, include developing cybersecurity requirements for critical infrastructure, disrupting malicious cyber activity, promoting stronger software security, enabling a consumer-focused digital economy, and improving incident response through information sharing and supporting victims.

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe