Even the US government isn’t immune to cyberattacks. Tech giant Microsoft recently discovered another Chinese cyber-espionage campaign, with this one compromising at least 25 organizations. Although details are still coming in, the Department of Commerce appears to be one of the victims.
Introduced back in March and published July 13, 2023, the NCSIP establishes a vision for how the US allocates roles, responsibilities, and resources for battling cyberattacks and increases incentives for long-term investments into cybersecurity. The plan is designed to ensure transparency and coordination among the federal government’s many agencies in realizing this vision.
This is the first iteration of the NCSIP, which will be updated annually. Eighteen agencies are leading initiatives in the plan.
The Office of the National Cyber Director (ONCD) will coordinate activities, including an annual report to the President and Congress on the status of implementation, and partner with the Office of Management and Budget (OMB) to ensure funding proposals in the President’s Budget Request are aligned with NCSIP initiatives. The government will also continue efforts to strengthen collaboration with the private sector, civil society, international partners, Congress, and state, local, Tribal, and territorial governments.
NCSIP at a Glance
So what’s in the NCSIP? It details over 65 high-impact initiatives, each assigned to a responsible agency and with a timeline for completion. The initiatives are based on five pillars:
Pillar 1: Defending Critical Infrastructure
This includes the Cybersecurity and Infrastructure Security Agency (CISA) taking the lead in updating the National Cyber Incident Response Plan to ensure the government acts in a coordinated manner during a cyber incident.
Pillar 2: Disrupting and Dismantling Threat Actors
One of the main initiatives under this pillar is for the FBI to strengthen the capacity of the National Cyber Investigative Joint Task Force (NCIJTF) to coordinate takedown and disruption campaigns with greater speed, scale, and frequency.
Pillar 3: Shaping Market Forces to Drive Security and Resilience
This pillar includes an initiative for the CISA to work with stakeholders to move forward with software bill of materials (SBOM) requirements. This will help ensure that all companies in the supply chain providing the US government with software and services are sufficiently protected against cyber-attacks reducing gaps in scale and implementation.
Pillar 4: Investing in a Resilient Future
Among the initiatives under this pillar is for the National Institute of Standards and Technology (NIST) to complete the standardization of one or more quantum-resistant public key cryptographic algorithms. In 2022, the NIST selected the first-ever group of encryption tools that could potentially withstand the attack of a quantum computer. They’ll become part of NIST’s post-quantum cryptographic (PQC) standard.
Pillar 5: Forging International Partnerships to Pursue Shared Goals
Initiatives under this pillar include the Department of State publishing an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities.
A Sixth Section
The NCSIP adds a sixth section not contained in the original strategy — Implementation-wide Initiatives. The two initiatives in this section call for reporting on strategy implementation progress, applying lessons learned from implementing the strategy, and ensuring federal budgetary guidance aligns with the strategy’s implementation. The funding aspect is particularly critical to executing the objectives.
One thing missing from the NCSIP, however, is the topic of cloud security. With the ubiquitousness of the cloud and the many attack vectors it includes, it’s increasingly important to make cloud security a priority at the public, private and government levels. It’s hoped that future iterations of the plan address this.
Your Cybersecurity Strategy
The release of the NCSIP serves as a strong reminder that all organizations need to implement a comprehensive, constantly reviewed, and updated cybersecurity plan. Self-administered or third-party IT security assessments can help identify gaps and needs.
US Signal’s IT security professionals are available to assess and help strengthen your organization’s security posture. Learn about some of our services
here. Or contact us for consultation. Phone: (888) 663-1700 or email: [email protected].