The White House is aiming to issue the implementation plan for a new national cyber strategy in early summer, while officials in the coming weeks will seek public comment on how to coordinate a growing patchwork of cybersecurity regulations across critical infrastructure sectors.
Robert Knake, the acting principal deputy national cyber director, said the White House is “targeting June” to release the public version of the national cyber strategy’s implementation plan.
“What you’re going to see is implementation actions moving out to every single department and agency that’s been involved in this process,” Knake said at a Monday event hosted by the Chamber of Commerce.
The initial plan will also just be the “1.0” version, he added. The ONCD is likely going to issue further updates in the months and years ahead to track the strategy’s progress and efficacy.
“We will be tracking each of those activities, making sure that we do them as a federal government, but also to make sure that they’re effective,” Knake said. “And if they’re not effective to make sure that we are adjusting course, and we’re coming up with new efforts and new initiatives to meet those overall strategic goals.”
Meanwhile, the office of the national cyber director will also issue a request for information on “regulatory harmonization” in the coming weeks, Knake said.
“This is really just to begin that process of understanding at a broad level of, where does industry see issues of harmonization?” he said.
The Biden administration’s recently issued national cyber strategy calls for establishing minimum cybersecurity requirements for critical infrastructure sectors. The document sketches out a departure from historic approaches to critical infrastructure cybersecurity that have relied on voluntary security standards and programs.
Some agencies, like the Transportation Security Administration, had already been issuing requirements for their respective sectors. And Biden administration officials have said they will work with Congress on areas where the executive branch doesn’t have the authority to issue cyber regulations.
But some lawmakers and portions of industry have raised concerns about companies having to respond to overlapping and duplicative cybersecurity requirements.
Knake said the White House is not necessarily pushing to iron out differences between “conflicting rules or even conflicting regulators.”
Instead, he said officials are looking at instituting a process for “reciprocity” or another mechanism where companies can potentially meet multiple requirements without having to go through multiple assessments.
“If we can get to a point where we say, ‘OK, if it’s good enough for one regulator, it’s good enough for another regulator,’ that would be much more efficient,” Knake said. “It would allow companies to invest more, not in compliance, but actually investing in improving their security.”
Lawmakers have been generally supportive of the Biden administration’s cyber strategy, but House Republicans in particular have raised concerns about its push for more regulation. During a House Oversight and Accountability Committee hearing last Thursday, Chairwoman Nancy Mace (R-S.C.) raised concerns that “we could stifle innovation by overregulating.”
Kemba Walden, the acting national cyber director, responded that ONCD and the Office of Management and Budget are leading efforts to coordinate on cybersecurity requirements, including by establishing a regulatory harmonization task force.
The group will consider “what are the gaps, what are the regulations, what are the authorities that exist now that we’re underutilizing for regulatory purposes of cybersecurity. How do we fill any gaps that might exist?” Walden said. “But, most importantly, you and I agree that we need to harmonize so that we make sure that we incentivize investment in cybersecurity requirements and not compliance, which some sectors are doing right now.”