The White House’s Office of the National Cyber Director (ONCD) released a report today showing the United States’ cybersecurity posture has improved over the last year, driven by progress on the administration’s March 2023 National Cybersecurity Strategy (NCS).
ONCD noted that the government has stayed on track with the NCS’s Implementation Plan (NCSIP) released in July – with 92 percent of initiatives completed on time. Today, the administration also released Version 2 of the NCSIP, adding 31 new initiatives for implementation across the Federal government.
ONCD head Harry Coker teased the first-of-its-kind cyber progress report in February, and former Acting National Cyber Director (NCD) Kemba Walden – who spearheaded release of the first NCSIP – announced today’s report back in September 2023.
“We are in the midst of a fundamental transformation in our Nation’s cybersecurity. We have made progress in realizing an affirmative vision for a safe, prosperous, and equitable digital future, but the threats we face remain daunting,” NCD Coker said in a May 7 statement. “That’s why I’m pleased to release the 2024 Report on the Cybersecurity Posture of the United States, the first-ever government-produced, national-level report on the state of cybersecurity in America which lays out the progress made and work yet to be done.”
The 37-page progress report focuses on five cyber challenges of 2023, as well as 12 efforts to combat those challenges as laid out in the NCS.
The Biden administration released its much-anticipated NCS in March 2023, harnessing the full power of the Federal government to promote better security, and wrapping private sector interests more fully into the effort.
ONCD published marching orders in July to implement the NCS. The first version of the implementation plan lays out 69 “high-impact” initiatives tasked to 18 separate Federal agencies, with a timeline for completion.
Today’s progress report notes the five trends that drove change to the strategic environment in 2023: evolving risks to critical infrastructure; ransomware; supply chain exploitation; commercial spyware; and AI.
The progress report also highlights action taken by the Federal government during the period covered by this report in 12 categories:
- Establishing and using cyber requirements to protect critical infrastructure;
- Enhancing Federal cooperation and partnerships;
- Improving incident preparedness and response;
- Disrupting and degrading adversary activity;
- Defending Federal networks;
- Strengthening the national cyber workforce through the National Cyber Workforce and Education Strategy (NCWES);
- Advancing software security to produce safer products and services;
- Enabling a digital economy that empowers and protects consumers;
- Investing in resilient next generation technologies;
- Managing risks to data security and privacy;
- Enhancing resilience across the globe; and
- Advancing a rights-respecting digital ecosystem.
“In 2024 and beyond, the Federal Government will build on accomplishments of the past year, continue to implement the NCS and NCWES, and adapt its approach to address emergent challenges and opportunities presented by an evolving strategic landscape,” the report concludes.
ONCD’s NCSIP 2.0 Adds 31 Initiatives, 6 Agencies
According to ONCD, the Federal government was charged with completing 36 initiatives in Version 1 of the NCSIP by the second quarter of 2024. Thirty-three of these 36 – 92 percent – were completed on time and three remain underway.
The three initiatives that remain in-progress include the Office of Management and Budget’s (OMB) task to develop an action plan to continue to secure unclassified Federal Civilian Executive Branch Systems; the FBI’s initiative to increase the speed and scale of disruption operations; and OMB’s task to publish a Notice of Proposed Rulemaking to change the Federal Acquisition Regulation to incorporate new requirements outlined in President Biden’s cybersecurity executive order.
An additional 33 NCSIP Version 1 initiatives have completion dates over the next two years and are on track, ONCD said.
Today, the administration unveiled the next phase of the NCSIP, which builds on the first iteration of the document, adding 31 new initiatives – for a grand total of 100 tasks – to be completed over the next two years and spread across 24 agencies, with six new agencies joining the charge.
“As we note the incredible progress to date carrying out President Biden’s National Cybersecurity Strategy, ONCD is pleased to announce the second version of the Strategy’s Implementation Plan with 100 high-impact federal initiatives,” Coker said. “Along with our partners, we will continue to forge ahead and secure the full benefits of a safe and secure digital ecosystem for all Americans.”
The NCSIP has five pillars and 26 broad objectives. In its updated version released today, ONCD paid the most attention to pillar one – defend critical infrastructure – by adding 10 new initiatives.
NSCIP 2.0 is directing the Federal government to put its resources into increasing cybersecurity in sectors like healthcare, education, and water.
Pillar four – invest in a resilient future – saw an addition of eight new tasks, including implementing and reporting on the NCWES and promoting skills-based hiring across the Federal government.
Other new initiatives include implementing cybersecurity labeling programs; working with partners to disrupt and dismantle threat actors; and implementing the State Department’s new international cybersecurity strategy.
ONCD noted that the NCSIP is a “living document” that will be updated annually.
“I welcome the news that the Office of the National Cyber Director has either completed or is in the process of completing all 36 initiatives laid out in the first National Cybersecurity Strategy Implementation Plan (NCSIP),” Rep. Gerry Connolly, D-Va., said in a statement. “Version 2 of the NCSIP is a further demonstration that the Biden Administration is committed to cybersecurity resilience and continuous evolution and iteration in our cybersecurity planning and operations.”
NCD Coker is expected to present a keynote at RSA Conference in San Francisco later this afternoon on the state of the nation’s cyber alongside former Principal Deputy Director of National Intelligence Sue Gordon.