Experts reflect on national cyber strategy, release version 2 of implementation plan

May 07, 2024 - SAN FRANCISCO, Calif. -- A panel of federal government officials reflected on the past year of cybersecurity successes and challenges since the release of the national cybersecurity strategy at an RSA Conference session on Tuesday, May 7.

On the same day, the Office of the National Cyber Director (ONCD) released version two of the “National Cybersecurity Strategy Implementation Plan,” along with a report on the overall cybersecurity posture of the U.S.

The Biden administration issued the strategy in March 2023 with the goal of improving cyber resilience, disrupting threat actor operations, and shifting cyber defense responsibilities. The strategy is divided into five pillars, each representing key focus areas.

Key takeaways from year one

“The national cybersecurity strategy called out extremely clearly that our country and the technology community as a whole needs a fundamental balance of accountability where the providers of technology with the ability to protect victims at scale are incentivized and required to do so at every turn,” said Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) and panelist at the session.

“We've made extraordinary progress in not only driving this vision but making it tangible.”

READ MORE: RSAC 2024: Data breach survivors discuss lessons learned

Goldstein remarked that over the past year, the strategy has enabled concrete changes in security across the public and private sectors. For example, in July 2023, the Biden administration announced the creation of the U.S. Cyber Trust Mark, a cybersecurity labeling program for Internet of Things (IoT) devices to help consumers make informed purchases with security in mind.

Driving the development of secure IoT devices was a key focus area in pillar three of the national cybersecurity strategy.

Goldstein also highlighted the recently released National Security Memorandum-22, which focuses on critical infrastructure security and resilience and requires each sector risk management agency (SRMA) to develop or update sector-specific risk assessments and risk management plans on a biennial basis.

While acknowledging this progress, Goldstein noted that there is still “a lot of work that we can do together across the community to make the right investments, but also to make life harder for the adversaries.”

In the 2024 report on the nation’s cybersecurity posture, National Cyber Director Harry Coker, Jr. also stressed the importance of continuing to build upon the momentum of the strategy’s first year.

READ MORE: Change Healthcare cyberattack exposes cybersecurity concerns

“We need to build on the successes of the past year, learn lessons from where we fell short, and take on hard challenges such as harmonizing cybersecurity regulations, empowering Sector Risk Management Agencies, and supporting smaller organizations facing down capable adversaries,” Coker wrote.

“Together, we will build a digital world that keeps Americans safe from cyber threats and enables our grandest ambitions.”

In 2023, federal government agencies completed 92% of the initiatives set forth in the first version of the implementation plan, and many more are on track for completion in the next two years. The new iteration of the plan consists of 31 new initiatives that build on last year’s goals and establish new focus areas.

Refreshed implementation plan highlights healthcare cyber goals

“It's so important that we're focusing on critical infrastructure,” Drenan Dudley, deputy national cyber director for strategy and budget at the ONCD, said during the panel session.

The updated implementation guide remains centered around the five pillars of the national cybersecurity strategy, with a renewed focus on critical infrastructure security and disrupting malicious cyber activity.

READ MORE: How updated third-party tech guidance affects compliance efforts

“One very specific thing related to that is in the new implementation plan, we added three agencies that are in a lead role for implementing an initiative for the first time, which is really exciting. Three of them are specifically related to critical infrastructure activity.”

The updated implementation plan also includes a new initiative under HHS, aimed at promoting the adoption of cybersecurity best practices, which points to the goals outlined in the department’s own healthcare cybersecurity strategy.

“The Department of Health and Human Services (HHS), as part of its sector-specific risk management plan required under National Security Memorandum-22, will continue to underscore the adoption of cybersecurity best practices across the healthcare and public health sector by implementing an HHS-wide strategy to support greater enforcement and accountability across the sector,” the document states.

The estimated completion date for this action is the first quarter of 2025.

While the panelists expressed optimism about the progress made in the first year of implementation, they acknowledged that there is still plenty of work to be done to bring critical infrastructure to a more secure state.