Officials in the White House Office of the National Cyber Director may be laser-focused on helping agencies evolve cyber and produce outcomes based on the mandates in the administration’s National Cyber Strategy, but they’re also contemplating necessary shifts to keep pace with evolving threats.
“Even as we’re nose to the grindstone right now, working to implement the 69 initiatives [in the strategy], we’re also looking over the horizon a bit to see what’s going to be coming in Implementation Plan 2.0, which we expect to be out in the spring of next year,” said Nick Leiserson, assistant national cyber director for cyber policy and programs in ONCD.
The White House office expects that its efforts going forward will be three-pronged:
Helping agencies with current cyber initiatives
Tracking evolving cyber needs and re-setting plans as necessary
Providing a continuing snapshot of how agencies are doing in protecting against threats to the government’s and the nation’s cyberspace
Updates to come on National Cyber Strategy implementation, status
Toward that end, ONCD intends to continue releasing updates so the public can track implementation of the strategy, Leiserson said during Federal News Network’s Cyber Leaders Exchange 2023.
The office will release an annual report on the government’s progress carrying out the strategic goals. And as circumstances change, it will adjust timelines, milestones and deadlines as well, he said.
Acting National Cyber Director Kemba Walden in July unveiled an NCS Implementation Plan as a follow-up to the big-picture cyber strategy. It includes the 69 distinct initiatives Leiserson mentioned, which aim to guide agencies in implementing the many facets of the strategy. It also includes a series of associated deadlines for these activities.
“The expectation is, there is going to have to be some flex because things change in the world,” Leiserson said. “If we don’t recognize that upfront, and say, ‘No, we’re going to stay the course on this path,’ instead of saying, ‘Technology evolves, the threat landscape evolves, and we have to be able to pivot,’ then we’re not going to get the outcomes that we want.”
Cybersecurity ‘playbook’ for federal grants in the works
Leiserson’s office is contributing in some way, often in support roles, to many of the initiatives in the Implementation Plan. But it will take the lead on leveraging federal grants to improve infrastructure cybersecurity, he said.
The plan states that ONCD will “develop materials to clarify, facilitate and encourage incorporation of cybersecurity equities into federal grant projects.”
The Bipartisan Infrastructure Law passed in 2021 included billions of dollars in grant money for infrastructure projects, ranging from roads and bridges to clean energy and broadband internet. Much of that funding is being disbursed through federal grants overseen by agencies.
ONCD’s goal is to help federal agencies, state and local agencies, and the recipients of grants understand what “they can do to ensure these projects are cyber-secure and that the networks themselves are cyber-secure,” Leiserson said.
The number of initiatives in the National Cybersecurity Strategy Implementation Plan
SOURCE: White House
The office is developing a grants process playbook for cybersecurity so organizations understand how to implement different cyber requirements, he said. But he was also quick to point out that the guidance should not be confused with an incident response playbook, which is one reason ONCD might rename it.
“The number one question we get when we have conversations with colleagues in state agencies, for example, is, ‘I believe you that this is something important for national security and economic security. What I don’t know is, what is it exactly that you’re asking me to do?’ ” Leiserson explained.
The hope is that the grants playbook will help answer that question and then in turn lead to better cyber protections for critical infrastructure.
Harmonization of critical infrastructure requirements also underway
The first pillar in the National Cyber Strategy is defending critical infrastructure, and the document makes clear that the Biden administration will continue deepening public-private partnerships while imposing cyber requirements to fill important gaps in security.
One of the first projects ONCD worked on was looking at the capacity of sector risk management agencies. SRMAs are federal agencies designated to oversee the nation’s 16 critical infrastructure sectors.
When it comes to public-private collaboration, the office wants to move beyond mere information sharing to operational collaboration, Leiserson said, and that starts with SRMAs. “That’s really the entry point for sectors in terms of helping to understand their risks and the consequences of incidents.”
In budget guidance issued this year, ONCD and the Office of Management and Budget directed SRMAs to ensure they are including funding for sufficient cybersecurity resources in their budget requests, potentially adding funds to hire cyber analysts.
Meanwhile, ONCD is leading a process to harmonize baseline cybersecurity requirements across critical infrastructure. The office released a request for information in July inviting public comments on the topic of cyber regulatory harmonization. It wants to better understand challenges with regulatory overlap and explore a framework for cyber reciprocity — essentially where one agency accepts another agency’s assessment or finding.
“As a baseline for technologies that are common across critical infrastructure sectors, we would prefer not to see differing requirements or, even worse, contradictory requirements,” Leiserson explained.
“We want reciprocity so that if I’m asking the same question as another regulator down the street, when you show to me that you are meeting whatever that requirement might be — whatever the certification you get for me that says, ‘Yes, I have investigated your system’ — and I am confident that you are doing what is required, that will suffice for the next regulator in line rather than having to go through an entirely different compliance process to really prove the same thing.”
The deadline for comments on the RFI is Oct. 31.
“At the end of the day, we do believe that there need to be baseline requirements across critical infrastructure sectors,” Leiserson said. “But we think we can do it smartly, and harmonization and reciprocity are key parts of doing it smartly.”