The Biden administration is giving agencies marching orders to make its cyber policy goals a reality.
The White House on Thursday released an implementation plan for its National Cybersecurity Strategy. The plan outlines 65 high-impact initiatives agencies must meet to stay ahead of emerging threats, and sets a timeline to complete those goals.
The plan puts 18 agencies in charge of leading at least one initiative, although much of its goals will require interagency coordination.
Acting National Cyber Director Kemba Walden said Thursday that the implementation plan is a “living document” that will be updated annually to reflect the federal government’s evolving response to emerging threats.
Walden said agencies are already putting many of the implementation plans into practice, and that a “version 2.0” will be released next spring.
“A strategy is only useful if it guides coherent action,” Walden said at an Information Technology Industry Council event marking the release of the implementation plan.
Among its objectives, the implementation plan directs the Office of Management and Budget to accelerate IT modernization at federal civilian agencies, with a priority on “eliminating legacy systems which are costly to maintain and difficult to defend.”
The White House is also calling on the Cybersecurity and Infrastructure Security Agency to foster public-private partnerships, in an effort to ensure common technology tools are secure by design. CISA will also develop cyber incident and ransomware payment reporting requirements for critical infrastructure entities.
The administration is calling on the Defense Department to update its own national cybersecurity strategy to reflect challenges posed by nation-states and other malicious actors who “pose a strategic-level threat” to the U.S.
The implementation plan also hints at an upcoming workforce and education strategy that identifies ways to keep a steady pipeline of cyber experts coming into government and industry.
Nick Leiserson, assistant national cyber director for cyber policy and programs, said the Office of the National Cyber Director (ONCD) expects to release the upcoming workforce strategy in the coming weeks.
“I think one of the biggest themes that has emerged, as we’ve been working on developing it, is the idea that you really need to push upstream, get earlier into the pipeline for the development of digital skills, if you want to be able to get the cybersecurity professionals that we need to see on the front lines defending our networks,” Leiserson told Federal News Network on the sidelines of the ITI event.
Leiserson said the White House sees a need for cybersecurity experts to support infrastructure projects funded by the Bipartisan Infrastructure Law, as well as energy and environmental projects under the Inflation Reduction Act.
“As technology becomes ever more integrated into our lives, we also need to recognize that that means every American is going to need to be equipped with a set of digital skills to just navigate the world,” he told Federal News Network.
The implementation plan also directs the Office of the National Cyber Director to work with OMB to harmonize baseline cybersecurity requirements for critical infrastructure.
Walden said ONCD is working on a request for information that will give industry partners an opportunity to give federal government feedback on the current state of cyber regulations. Once that RFI is released, she said ONCD will turn industry feedback “into actionable steps.”
“Where we’re trying to get with the RFI and with our regulatory harmonization work, fundamentally, is a good understanding of what is a good reciprocity framework,” Leiserson said. “How do we set up a system where an entity, a company, someone who’s an owner and operating in critical infrastructure can show that they’ve met baseline cybersecurity requirements for the common enterprise IT that exists in the banking sector, that exists in the communications sector, that exists in our grid? And say, ‘OK, we’ve demonstrated that we’ve met the requirements that we need, and we don’t have to demonstrate that in a different way to a different regulator.”
Leiserson added that the Biden administration is looking to keep the cyber regulatory framework adaptable to evolving standards in cybersecurity — adding that “what was state-of-the-art cybersecurity 20 years ago is absolutely not today.”
“What we want is for changing requirements to still be able to plug into a reciprocity framework, such that for your baseline cybersecurity requirements, we’re trying to make it as simple as possible, to say, ‘Yep, we’ve met the bar,’” he said. “There may be sector-specific things that come down on top of it, because you’re operating this particular kind of technology in the grid that you aren’t in the banking sector. But when it comes to your business systems, for instance, we expect that we’re going to see a lot of commonalities there.”
The implementation plan also calls on agencies to stay on top of emerging cyber trends, such as advances in quantum computing that could thwart current encryption standards. Agencies, Leiserson said, must also stand ready for cyber threats driven by artificial intelligence.
“There are several societal challenges and opportunities that artificial intelligence presents,” he said. “From the cybersecurity standpoint, what we want to see is that principles from the strategy — secure by design, for instance — are incorporated into these AI software models, because frankly, they are software at the end of the day.”
He added: “There will be a new technology that arrives. There will be a new threat that arrives. We will see something in the landscape that’s changed, and that we need to specifically address with an initiative that’s based on the principles in the strategy, but we that we weren’t really thinking of how to apply them in this particular case, when we wrote the implementation plan.”
Agencies, in many cases, are already practicing what the implementation guide calls for governmentwide.
CISA announced Wednesday that a China-linked cyber campaign targeted the unclassified Microsoft cloud-based email accounts of federal agencies and other organizations.
The State Department and the Commerce Department were affected by the incident, but CISA said one of the affected agencies detected the breach through “enhanced logging.”
“Fundamentally, one of the things that heartens me on the federal cybersecurity side, is that this was discovered by a U.S. government agency, and they immediately worked with the vendor — Microsoft, in this case — in order to help remediate that. And I think that is a good news story, insofar as we have seen progress at departments and agencies, significant progress, in their internal capabilities to be able to discover things that affect their networks and then potentially affecting others,” Leiserson said.