The National Cybersecurity Strategy is now officially in motion

The Biden administration has released the implementation plan for its National Cybersecurity Strategy—officially setting in motion its ambitious initiative to shore up vulnerable cyber defenses and improve preparedness nationwide.

The plan, released July 13, establishes timelines and expectations for the five “pillars” of the plan, which include “defend critical infrastructure,” “disrupt and dismantle threat actors,” “shape market forces to drive security and resilience,” as well as long-term investment in cybersecurity internationally.

All told, the White House plan lays out more than 65 separate initiatives, which Acting National Cyber Director Kemba Walden told reporters constitutes a “living document” and will be updated in 2024 to a 2.0 version, according to CyberScoop. A few are already finished or in motion, such as the codification of a Department of Homeland Security board to investigate major incidents and the federal government’s “cyber workforce and education strategy,” Walden added. Others are not, such as the Cybersecurity and Infrastructure Security Agency’s (CISA) plans to update the National Cyber Incident Response Plan by 2025.

CyberScoop reported that initiatives the federal government expects to be completed this year include new IoT standards, both voluntary (a new industry labeling program) and less so (proposals that federal vendors meet stricter acquisitions requirements). CISA will also launch a multiyear effort to “build domestic and international support” around coordinated vulnerability disclosure programs, while a joint ransomware task force run by CISA and the FBI will collaborate with the State Department to discourage other nations from acting as safe havens for cybercriminals.

Some elements of the plan will take longer. For example, the document states the Office of the National Cyber Director will hold a symposium on developing a new software liability framework to hold developers accountable for their products by the middle of next year. CISA will also promote software bills of materials (SBOMs), as well as develop plans to identify unsupported software in critical infrastructure by Q2 2025.

Walden told reporters cyber attacks may be inevitable, but the essence of the plan is to ensure “the downtime is going to be quick, and that the impact won’t be catastrophic,” according to CyberScoop. “So we need to figure out what investments we need to make.”