Update to national cybersecurity strategy implementation plan coming before the end of summer
MIAMI — Cybersecurity professionals can expect fresh reading materials in the coming months from the Office of the National Cyber Director, which aims to issue an update to the national cybersecurity strategy implementation plan before the summer is over, a White House cyber official said Tuesday.
The implementation plan outlines how the White House will accomplish the goals outlined in the national cybersecurity plan and is supposed to be a “living document” that is updated as initiatives are complete or new initiatives are added. The implementation plan 2.0 is expected “late spring, early summer,” said Brian Scott, deputy assistant national cyber director for cyber policy and programs.
Speaking at the ICS-focused security conference S4x24 in Miami, Scott also noted that cybersecurity pros can expect an update on software liability reform in the next implementation plan release, and the Biden administration is currently looking at developing a framework around software liability. The White House is also convening a symposium of law professors at the end of March around the issue, he said.
“The administration is committed to working with Congress to develop legislative action to incentivize development of software with more secure code,” Scott said.
One aspect of the framework will be exploring how best to implement safe harbor incentives for companies that are developing code using secure methods. Companies that align with those best practices — which are still being explored — are less likely to face legal issues down the road.
“We want to raise the bar here and raise the standards of care to a higher level for the development of software,” Scott said.
Scott also said to expect the next steps on the White House’s goal to achieve regulatory harmonization across the critical infrastructure sectors. The harmonization effort — which is the first initiative in the implementation plan — will try to coalesce the cacophony of regulations and technical standards that critical infrastructure organizations are expected to follow. The idea is to lower the cost of duplicative or conflicting regulations and standards.
ONCD released a request for information last July asking industry and experts to get a scope of the task ahead that will drive some of the ideas. The White House is developing another framework that could harmonize baseline requirements that apply across as many sectors as possible.
In September, ONCD officials told CyberScoop that the initial idea would not include operational technology as it was considered too bespoke at the time, and instead focus more on IT rules, while noting that they were open to changing that.
