On March 2, 2023, the Biden-Harris Administration announced its new National Cybersecurity Strategy, a comprehensive approach to safeguarding the United States’ critical digital infrastructure. The strategy has been shaped by major cyber incidents that threatened public services in recent years and comes at a time when conflict is intensifying in Eastern Europe.
The document focuses heavily on critical infrastructure (CI) defense, public-private collaboration, incentivizing long-term cybersecurity and resilience investments and empowering smaller entities with the support they need to implement stronger cybersecurity.
The strategy is composed of five pillars:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Purse Shared Goals
In this post, we’ll look closely at the first pillar, Defend Critical Infrastructure, and what this might mean for operators in the short term and longer term. The first pillar has five strategic objectives, which we’ll cover below.
Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety
The National Cybersecurity Strategy makes it very clear that regulation is required to implement the strategy. All critical industries can expect new or expanded cybersecurity requirements to come their way in the near term, largely dependent on sector risk management agencies, barring new authorities or legislation. The document states that “Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience.”
With that in mind, the Administration has three goals around regulation:
- Establish Cybersecurity Regulations for CI
The Federal government will use existing regulatory authorities to set cybersecurity requirements for critical sectors, like we saw when the TSA Security Directives rolled out. These regulations will be performance-based and leverage existing standards and common practices, like the NIST Cybersecurity Framework. Cloud computing companies and other “essential third-party services” should also prepare for new scrutiny and regulations.
- Harmonize and Streamline New and Existing Regulations
To minimize the cost and complexity of new cybersecurity requirements, regulatory agencies will leverage existing global standards and ensure that they are harmonized internationally to prevent new regulations from impeding digital trade flows.
- Enable Regulated Entities to Afford Security
With smaller entities and low-margin sectors in mind, Federal agencies should account for variables among industries that impact the ability of those companies to absorb the costs of additional cybersecurity. Regulators are encouraged to incentivize cybersecurity investment through the rate-making process, tax structures or other mechanisms.
Having security controls in place that map to the Identify, Protect, Detect, Respond and Recover functions of the NIST CSF, anda defense in depth or zero-trust-modified architecture based on IEC 62443 standards, will place companies ahead of the curve to meet any regulations that come out.
If operating in a low-margin industry or a smaller municipal electric or water utility, be sure to take advantage of available Federal funding or tax incentives for cybersecurity investments, such as the state and local government cyber grants.
Strategic Objective 1.2: Scale Public-Private Collaboration
Public-private collaboration has been a running theme throughout this administration. This objective establishes CISA as the national coordinator for critical infrastructure security and resilience, but states that sector risk management agencies (SRMAs) will fulfill the day-to-day functions of communicating with industry and applying their sector-specific knowledge to improving cybersecurity. CI organizations should identify who their SRMA is and begin to build a good working relationship with them.
Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) will continue to facilitate the human-to-human information sharing and collective defense of their respective industries. However, there is a heavy focus on machine-to-machine data sharing in this strategy. CISA and the SRMAs have been instructed to explore how to enhance and evolve machine-to-machine data sharing.
Information sharing is lacking trust and verification, has been siloed into sector-specific, private sector, or government agency-specific mechanisms—creating single sources of information without much consensus. In terms of the threat landscape, there is no way to standardize and correlate threat and vulnerability research produced from the competitive market leaders. Despite a reluctance to aggregate information, meaningful information sharing requires a vendor-agnostic mechanism for real-time sharing of early warning data.
Strategic Objective 1.3: Integrate Federal Cybersecurity Centers
The Federal Government will begin to take a more proactive role in coordinating the authorities and capabilities of the departments and agencies responsible for the defense of CI. The Office of National Cyber Director (ONCD) will lead an effort to improve coordination and collaborations across all Federal Cybersecurity Centers, such as the Joint Cyber Defense Collaborative (JCDC) and the National Cyber Investigative Joint Task Force (NCIJTF).
Strategic Objective 1.4: Update Federal Incident Response Plans & Processes
CISA will be updating the National Cyber Incident Response Plan (NCIRP) to better coordinate Federal response efforts to a cybersecurity attack on the private sector. The objective also cites the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires all covered critical entities to report a cyber incident to CISA “within hours” to help facilitate faster incident response at the Federal level.
Strategic Objective 1.5: Modernize Federal Defenses
The Federal government will modernize and update its own digital infrastructure to support a zero trust security approach, with a specific focus on federal civilian executive branch (FCEB) agencies and National Security Systems (NSS), which store some of the most sensitive Federal government data.
CISA will develop a plan of action to collectively defend FCEB agencies through expanded availability of centralized services and a focus on software supply chain security, including building on efforts to require Software Bills of Material (SBOMs). FCEB agencies can expect more Binding Operational Directives, like the recent BOD 23-01, soon.
“The National Cyber Strategy’s non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and Boards alike. While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces will take time. As it is for most companies in this macroeconomic climate. We look forward to working with our U.S. critical infrastructure partners, just as we have with their international counterparts, to meet changing regulatory guidelines with the best defenses and visibility possible.”
– Edgard Capdevielle, CEO
The National Cybersecurity Strategy offers a glimpse into the potential regulation and policies coming for critical industries in the near term. If your industry is on CISA’s list of critical infrastructure sectors, begin thinking about how your risk management plans and priorities are approaching cybersecurity and what it will take to fill any gaps in prevention, detection and response strategies for the future.