The Office of the National Cyber Director (ONCD) has unveiled its implementation plan for a comprehensive national cybersecurity strategy. The plan sets deadlines for 18 government agencies to initiate changes aimed at enhancing cybersecurity regulation and increasing corporate responsibility for protecting critical infrastructure from cyberattacks.
Acting National Cyber Director Kemba Walden described the 57-page plan as a roadmap for achieving the strategy’s objectives, focusing on the involvement of major entities in the public and private sectors to reduce cyber risks and promote long-term investment in cybersecurity.
The plan is notably detailed and prescriptive, assigning responsibility and near-term deadlines for 69 initiatives to individual agencies responsible for carrying out reforms.
It tackles various initiatives, including combating cybercrime, building a skilled cyber workforce, and streamlining regulatory directives to clarify agency roles in cybersecurity goals. The Cybersecurity and Infrastructure Security Agency (CISA) will lead efforts to update the National Cyber Incident Response Plan, emphasizing collaboration among federal agencies and non-government partners in incident response and recovery.
The implementation plan also addresses the software bill of materials initiative and charges CISA with improving software transparency to address supply chain risks. The plan assigns the National Institute of Standards and Technology (NIST) to standardize quantum-resistant cryptographic algorithms and establish an interagency and global body for technical and cybersecurity standardization. The Department of Justice is tasked with leading an interagency effort to propose legislation aimed at enhancing the government’s ability to detect and disrupt cybercrime.
Acting Director Walden highlighted completed initiatives, including proposed legislation to strengthen the Cyber Safety Review Board, with additional work underway such as the upcoming release of a national cyber workforce and education strategy. She emphasized that the plan is a “living document” that will evolve as the threat landscape changes and new actions become necessary.
Walden underscored the plan’s focus on improving government response and collaboration with the private sector, particularly in addressing incidents like the recent Chinese hack on Microsoft’s cloud email service.
While experts praised the plan’s effective policy objectives, some noted a desire for a more robust approach to cloud computing security. Nonetheless, a senior administration official defended the provisions, stating that they establish best practices for service providers.
