Alie
Ashryver

National Cybersecurity Strategy (NCS) and its implementation plan (NCSIP): Quick highlights…

Alie Ashryver

Aug 3, 2023

12 min read

Three months after releasing the National Cybersecurity Strategy (NCS) 2023, the Biden-Harris administration followed up on the agenda by releasing the first official draft of an implementation plan. On July 13, 2023, the White House set the ball rolling on improving and strengthening America’s cybersecurity posture. The multiyear implementation plan, NCSIP, was indeed everything that the governing bodies and industry leaders hoped for and more. From answering the who, what, and how of all the pointers in the NCS 2023 to hashing out a proper timeline to work on every single agenda, the NCSIP lays down a proper roadmap.

Build a cybersecurity framework with Hexnode
So, that’s the general hub-hub around what went down a fortnight ago. But it’s not enough, right? So, let’s swim a little deeper.

Before NCSIP, let’s get some background on National Cybersecurity Strategy 2023…

So, as we’ve seen, earlier this year, the U.S. government officially replaced the 2018 Trump administration cybersecurity strategy by releasing the latest iteration of the country’s cybersecurity plans. The new National Cybersecurity Strategy effectively capitalizes on its predecessor with finer tweakings to cater to the needs of the current cyberspace. Essentially, the strategy strives to strike the perfect balance between maintaining the progress achieved in various areas while also advancing and refining the strategic initiatives initially introduced by the 2008 Comprehensive National Cybersecurity Initiative.

The new strategy emphasizes two significant shifts

  • Firstly, a re-evaluation of the responsibility distribution for defending cyberspace.
  • And secondly, a repositioning of incentives to encourage long-term investments in cybersecurity.

This approach offers a new outlook on how the government and private sector handle cyber risks. It recognizes that users often bear an uneven burden in managing these risks. It suggests a significant change by advocating for legislation that holds providers responsible for not meeting crucial security standards. While reaffirming the government’s role in safeguarding its systems and conducting diplomatic, law enforcement, and intelligence activities, the strategy highlights the importance of private entities proactively safeguarding their systems.

Pillars of the new National Cybersecurity Strategy…

A lot of chatter around the net might lead you to believe that the entire 39-page strategy boils down to transparent cooperation between public and private sectors (or state and non-state actors, if you will) to secure cyberspace. However, it’s not that simple. And that is probably why the strategy has a five-pillar-based approach. Here’s a look at the five pillars to get a quick grasp over their priorities.

Defend critical infrastructure:

National security, public safety, and economic prosperity sum up the primary concerns of any country. And, of course, defending critical infrastructure is crucial to ensuring all three. Establishing a collaborative defense model that shares responsibility and enhances security is essential. This, right here, is the basis of the first pillar of the NCS. And so, cybersecurity protections are being mandated in critical sectors, with potential regulations for others. Citing the “Shields Up” campaign, the first pillar advocates for increased private sector involvement. The Federal Government is focusing on improving its own cybersecurity, aiming to be a model for secure and resilient systems in critical infrastructure nationwide. Here’s a sneak peek at the priorities.

  • The strategy aims to increase the implementation of minimum cybersecurity standards across critical sectors and streamline regulations to ease the compliance process.
  • Facilitate swift and extensive public-private cooperation to protect critical infrastructure and vital services effectively.
  • Strengthen and modernize federal networks while revising the federal incident response policy.

But, what was the “Shields Up” campaign?

The “Shields Up” campaign was initiated by the Cybersecurity and Infrastructure Security Agency (CISA) in February 2022 as a cybersecurity awareness initiative, particularly in response to the threat posed by Russia’s 2022 war on Ukraine. This campaign aims to enhance organizations’ cybersecurity readiness and protect them against cyberattacks.

Under the “Shields Up” campaign, CISA offers various valuable resources:

  • Guidance for enhancing cybersecurity defenses: This guidance covers essential aspects like implementing multi-factor authentication, addressing known vulnerabilities through patching, and actively monitoring networks for suspicious activities.
  • Updates on current cybersecurity threats: Admins regularly update the Shields Up website with information about existing cybersecurity threats, including those targeting critical infrastructure.
  • Tools and resources for assessing and improving cybersecurity: CISA provides tools like the Shields Up scorecard and the Shields Up checklist, empowering organizations to evaluate and enhance their cybersecurity preparedness.

Disrupt and dismantle threat actors:

The United States is committed to using all available means, including diplomacy, military, intelligence, and law enforcement capabilities, to counter and dismantle threat actors that pose a risk to its interests. And so, the goal of the NCS’s second pillar is to prevent sustained cyber campaigns that threaten national security and public safety. The focus is on enhancing collaboration, intelligence sharing, and disruption campaigns to deny adversaries the use of U.S. infrastructure and combat global ransomware efforts. Here’s a quick run down on the priorities for the second pillar.

  • Utilize the full range of national resources to strategically disrupt adversaries.
  • Involve the private sector in disruption efforts through adaptable and scalable approaches.
  • Combat the ransomware menace with a comprehensive federal strategy and close collaboration with international allies.

Shape market forces to drive security and resilience:

A secure and resilient digital future. This promise is why the United States aims to influence market dynamics by assigning responsibility for reducing cybersecurity risk to those best positioned within the digital ecosystem. The goal of the third pillar is to shift the impact of poor cybersecurity away from the vulnerable, making the ecosystem more trustworthy. Market forces will be guided to enhance the country’s resilience and security while preserving innovation and competition in the digital economy. Moreover, the Administration will ensure the long-term security and resilience of the digital ecosystem against current and future threats. The objective is to foster better cybersecurity practices and provide market stability during catastrophic events. Priority listings under this pillar include:

  • Advocate for the protection of privacy and personal data security.
  • Transfer liability for software products and services to incentivize secure development practices.
  • Ensure federal grant programs encourage investments in secure and resilient new infrastructure.

Best MDM solutions for small businesses: Choices and more…

Invest in a resilient future:

Investments made today are essential for a resilient and thriving digital future. The United States aims to create a more secure, resilient, private, and equitable digital ecosystem through strategic investments and collaborative efforts. By doing so, the U.S. will maintain its role as a global leader in secure next-gen technologies and infrastructure.

Featured resource

Cybersecurity kit

This resource kit will help your company adopt the right cybersecurity strategy to secure your business.

Download kit

Crucial elements of the digital ecosystem, like the Internet, are the results of joint public and private investments. However, cybersecurity investments have lagged behind evolving threats. As new digital infrastructure emerges and revolutionary tech changes approach, addressing this investment gap becomes more urgent. And so, the fourth pillar of the strategy shines a light on how the Federal Government will use public investments in innovation, R&D, and education to drive sustainable outcomes in the national interest. Various programs, including the National Science Foundation’s initiatives and new grant opportunities, will be leveraged to ensure U.S. leadership in technology and innovation. The goal is to combine innovation with security to counter adversarial threats and ensure resilience as an integral part of new technical capabilities. Here’s a look at the priorities.

  • Address and minimize systemic technical vulnerabilities within the internet’s foundation and the entire digital ecosystem to enhance resilience against transnational digital repression.
  • Give paramount importance to cybersecurity research and development, focusing on cutting-edge technologies like post-quantum encryption, digital identity solutions, and clean energy infrastructure.
  • Cultivate a diverse and strong national cyber workforce.

Forge international partnerships to pursue shared goals:

The United States aims to establish a global environment. A world where responsible state behavior in cyberspace is rewarded, while irresponsible actions are punished. And so, the U.S. plans to collaborate with international partners by leveraging coalitions and partnerships among like-minded nations to address threats to the digital ecosystem. Historically, the U.S. has utilized international institutions like the United Nations to develop norms and measures for responsible state behavior in cyberspace. This includes frameworks like the UN Group of Governmental Experts and the Budapest Convention on Cybercrime. The fifth pillar of the NCS promises to continue with these efforts and prioritize:

  • Utilize international coalitions and alliances with like-minded nations to collectively address threats to the digital ecosystem by coordinating preparedness, response, and cost-sharing efforts.
  • Enhance the capabilities of partner countries to defend against cyber threats, fostering resilience during both peaceful periods and times of crisis.
  • Work closely with international allies and partners to create secure, reliable, and trustworthy global supply chains for information and communications technology (ICT) and operational technology (OT) products and services.

Across the five-pillar-based approach of the new National Cybersecurity Strategy, the overarching vision of the Strategy is to safeguard the potential of the digital future by ensuring that the ecosystem becomes:

  • Defensible, with simplified and affordable cyber defense measures that are more efficient and accessible to all.
  • Resilient, focused on minimizing the repercussions of cyber incidents and errors.
  • Values-aligned, where fundamental principles such as economic security, respect for human rights, trust in democracy, and a fair and inclusive society profoundly shape and strengthen the digital realm.

And that, ladies and gentlemen, is the new NCS strategy in a nutshell. So now, what is the NCSIP, National Cybersecurity Strategy Implementation Plan?

Turning the ideas of NCS into a reality with NCSIP…

If the strategy represents the president’s vision for the future, then this implementation plan is the roadmap to get there.

This is what the Acting National Cyber Director (NCD) Kemba Walden had to say about the 57-page long document. So, let’s get back to our original question of what exactly the NCSIP is. Well, to put it simply (at the cost of sounding redundant 😁), the NCSIP is an implementation plan for the NCS. Accordingly, the plan delineates around sixty-five high-impact initiatives. These are initiatives that various agencies must undertake to proactively address emerging threats. Also, the plan specifies a detailed timeline for achieving these objectives. While eighteen agencies will spearhead individual initiatives, the majority of the plan’s goals necessitate close interagency collaboration.

Different agencies involved:

As mentioned, eighteen federal departments and agencies have been chosen to lead various initiatives. Notably, key responsibilities are assigned to entities such as the Office of the National Cyber Director (ONCD), Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), Department of Defense, Department of Justice, Department of State, Department of Homeland Security, and the FBI. These organizations will play significant roles in the implementation process. The ONCD and the Office of Management and Budget (OMB) will take point in leading the administration’s efforts and funding proposals respectively. Now, while the plan lacks immediate funding, it does reference forthcoming budget requests, including the Administration Cybersecurity Priorities for the FY 2025 Budget.

NCSIP, a living document…

Moving on, keen ears here and there will catch news snippets referring to the NCSIP as a “living document.” Why is that? Well, this is because when compared with the one-time document that is the NCS 2023, NCSIP is supposed to evolve over time with multiple iterations. And it makes perfect sense too!

The sixth element of the NCSIP

Just like the National Cybersecurity Strategy, the implementation plan, NCSIP, is also framed around the five-pillar-based approach and… more. What’s the “more?” Well, apart from the five pillars of the national cybersecurity strategy, there is an extra sixth element to the NCSIP. Basically, this extra element, “implementation-wide initiatives,” advocates for regular reporting on the progress of implementing the strategy, incorporating valuable insights gained from the process. It also emphasizes the need to align federal budgetary guidance with the strategy’s implementation to ensure its effective execution. Not bad for a first draft at all!

Word across the town…

After a major drop like the National Cybersecurity Strategy Implementation Plan, the town was bound to be buzzing with opinions and remarks. And abuzz it was! From headlines and top stories to direct quotes from industry leaders and key players in cyberspace, the NCSIP has indeed been the talk of the town for the better part of these last two weeks. Skim along!

  • The Federal News Network covered a piece on how the White House has set the wheels in motion for its national cyber strategy by ‘giving marching orders’ to agencies to achieve their cybersecurity goals.
  • Quite a few key players in the cybersecurity industry agree that the NCSIP has exceeded expectations as far as filling the gaps and fissures in guidance on cloud and hybrid models is concerned.
  • Decision-makers and industrialists have equally lauded the implementation plan’s attention to detail and the ‘relatively aggressive deadlines.’ Both of these factors contribute to creating the right sense of urgency for all the stakeholders, which is just an added bonus.
  • Yet another piece of news hinted at how both the NCS and the NCSIP can ‘bolster’ the country’s cyber resilience.

There’s more along the lines of these. However, the bottom line is that the NCSIP has created some powerful waves and will continue to do so throughout its run.

And so,

The pieces are on the board, and the wheel’s been set into motion. The Biden-Harris administration has ironed out the strategy and penned down the rules. All that is left to do is to play your roles right! Toodles, then!

Share
Alie Ashryver

Product Evangelist @ Hexnode. Gimme a pen and paper and I'll clear up the cloud of thoughts in ma head...

Share your thoughts