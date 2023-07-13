The Biden administration on Thursday released a plan for implementing its National Cybersecurity Strategy, laying out agency assignments and deadlines for dozens of activities aimed at improving digital defenses in the U.S. and abroad.

The implementation plan describes how the government will complete 69 concrete activities, which are based on the strategy released by the White House’s Office of the National Cyber Director in March. Eighteen different agencies are leading at least one activity.

“If the strategy represents the President's vision for the future, then this implementation plan is the roadmap to get there,” acting National Cyber Director Kemba Walden told reporters during a briefing on Wednesday.

According to the plan, federal agencies have until April 2025 to evaluate gaps in their authorities to regulate the cybersecurity of critical infrastructure sectors like schools, hospitals and power plants and propose new regulations to the White House. This regulatory push is a core part of the Biden administration’s approach to protecting critical infrastructure and has already resulted in new rules for railroad carriers, pipeline operators and water utilities—with more in development.

According to the plan, the Commerce Department has until October to publish a proposed rule setting customer verification requirements for cloud companies. The goal of the rule, which is based on a Trump administration executive order, is to stop hackers from using these cloud platforms to launch attacks.

The Office of Management and Budget has until January 2024 to oversee the publication of three draft rules affecting federal contractors. One would govern how those contractors report cyber incidents to their customers, a second would set security requirements for the government’s software vendors, and a third would create standard cybersecurity language for future federal contracts.

The plan gives the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency until January 2025 to update the National Cyber Incident Response Plan, which lays out how agencies coordinate to address significant hacks. The document was last updated in 2016.

Pursuant to the plan, a team of officials from multiple agencies has until January 2024 to recommend whether DHS should create new critical infrastructure sectors that recognize new developments in vital technology areas. These sectors form the basis for the government’s work with the private sector to defend key facilities from hackers. There are currently 16 critical infrastructure sectors, including for communications, energy, financial services, and health care. A recent CISA report suggested that it might be time to create sectors for space and bioeconomy.

The implementation plan also commits ONCD to hosting a “legal symposium” by April 2024 to explore ways to hold software vendors liable for distributing code with known vulnerabilities. It also gives the White House until October to kickstart a program to create security labels for internet-connected devices like webcams, hoping to increasing consumers’ awareness and appreciation of security features in these products.

Other activities required by the plan include the Office of the Director of National Intelligence studying ways to deliver classified warnings to more industry partners; DOJ expanding its use of the False Claims Act to prosecute federal contractors that flout cyber requirements; and OMB developing a “plan of action” to better secure unclassified U.S. government computer networks.

Still other initiatives deal with cyber aid to foreign allies, investments in non-proprietary 5G wireless networks, research on the social and economic aspects of cybersecurity, and efforts to promote security in the open-source software community.

Some of the plan’s tasks have already been completed, including the delivery to Congress of proposed legislation that would codify DHS’s Cyber Safety Review Board, which investigates major incidents and reports on lessons learned from them. In addition, the Pentagon has submitted the classified version of its cyber strategy to Congress. And a senior administration official told reporters on Wednesday that they believed the U.S. Secret Service had already proposed several bills to improve the government’s ability to disrupt cybercrime operations.

The implementation plan also sets deadlines for several topic-specific strategies that flow out of the broader strategy. The State Department has until January 2024 to issue an international strategy on cyberspace and digital policy, while ONCD has until April 2024 to issue its cyber education and workforce strategy. Walden said on Wednesday that she hopes to publish that document soon.

ONCD intends for the implementation plan to be a living document, with future updates occurring when officials identify new ways to implement the administration’s vision.

The second version will be published next year, Walden told reporters, with annual updates to follow.