The US National Cybersecurity Strategy has been on our radar for some time as a key driver of change within the industry. We have been proactively offering advice and guidance to companies in preparation for the rollout. On July 13, 2023, The White House published its plan for its implementation.
The National Cybersecurity Strategy Implementation Plan (NCSIP) is designed to provide a clear and transparent roadmap to ensure collaboration between US Federal Government agencies in executing the strategy. This strategy marks a significant shift in prioritizing long-term investments by providing incentives, in addition to restructuring how the US allocates roles and resources within cyber.
The NCSIP details over 65 "high-impact" initiatives, each assigned to a responsible agency with established timelines.
This NCSIP details more than 65 high-impact Federal initiatives, and it's vital that companies understand the impact from a staffing perspective. This is because a large portion of the plan is focused on building a skilled cyber workforce while preserving American jobs.
The key initiatives encompass deliverables such as changing legislation and modernizing technology systems and are based on five pillars:
Pillar One | Defending Critical Infrastructure
This focuses on collaboration between government departments, the private sector, and SLTT partners during a cyber incident. It ensures these non-governmental partners understand the help and support that is available and how to access it in a timely manner. The Cybersecurity and Infrastructure Security Agency (CISA) will lead a process to update the National Cyber Incident Response Plan to more fully realize the policy that "a call to one is a call to all." The update will also include clear guidance to external partners on the roles and capabilities of Federal agencies in incident response and recovery.
Pillar Two | Disrupting and Dismantling Threat Actors
This focuses on combatting ransomware and other cybercrime. The FBI will work with Federal, international, and private sector partners to carry out disruption operations against the ransomware ecosystem. A complementary initiative, led by CISA, will include offering resources such as training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets of ransomware, like hospitals and schools. This aims to make them less likely to be affected and to reduce the scale and duration of impacts if they are attacked.
Pillar Three | Shaping Market Forces and Driving Security and Resilience
Increasing software transparency allows market actors to better understand their supply chain risk and hold their vendors accountable for secure development practices.
Pillar Four | Investing in a Resilient Future
Drive key cybersecurity standards by coordinating internationally on cybersecurity standardization and enhance US federal agency participation in the process. NIST will also finish standardizing one or more quantum-resistant public-key cryptographic algorithms.
Pillar Five | Forging International Partnerships to Pursue Shared Goals
The Department of State will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities.
The Biden-Harris Administration added that this is "a living document that will be updated annually," however, due to the robustness of the process thus far, we don't expect sweeping changes in the foreseeable future.
Importantly, with minimum cybersecurity requirements cascading across industries, private companies will need to ensure their compliance.
Predicted effects on staffing include:
- Increased demand for professionals with expertise in vendor risk management and cybersecurity.
- Increased value of professionals with experience in government or hyper-regulated industries.
- A new demand for project management and compliance skills within cyber leads.
Recommendations from our team include:
- Hiring experts well-versed in evolving state and federal privacy laws.
- Shifting towards risk-based cyber roles implies a need to hire professionals with a proactive cybersecurity mindset.
- In anticipation of future regulatory changes, invest in personnel capable of developing comprehensive risk management procedures and response plans.
Our team is already proactively assisting businesses in navigating regulatory shifts. If you would like to speak to one of our experts, contact us today.