Federal National Cyber Strategy 2.0 on the Way

The White House’s National Cybersecurity Strategy released a year ago ushered in many new priorities for agencies across government in new iterations of their cyber plans, which federal leaders briefed at the CyberScape Summit Thursday. Soon the office anticipates releasing a second iteration of the plan.

“We are getting ready to release our second implementation plan in the coming weeks, and you will see what things we have already accomplished, what things we continue to work on and what new things from that first year of work have come up and suggested needed,” said Assistant National Cyber Director Phil Stupak at the event.

Since the release of the plan, agencies like the Defense Department and National Oceanic and Atmospheric Administration (NOAA) have aligned some of their cybersecurity strategies with pillars outlined with the White House strategy.

Defending critical infrastructure, driving resilience and forging partnerships being a few of those pillars.

Department of the Navy Principal Cyber Advisor Scott St. Pierre said its newer zero-trust concept enabled the department to work between commands, facilities and engineering.

“Both services have developed sound and executed the cybersecurity and cyber resilience plans to protect those capabilities and requested the budget to execute those plans,” St. Pierre said. “They’re getting it done.”

NOAA CTO Frank Indiviglio said critical infrastructure has been one of the more complicated aspects to achieve because the enterprise is spread out between systems.

“It’s now a bunch of different systems. You have to really talk about what those principles are, how are you going to manage them,” Indiviglio said. “Let’s think about how we recreate these systems and the security that goes around them, especially when you’re talking about cloud providers, and how that data is going to go between systems and organizations.”

Red Hat Chief Architect and Security Strategist Michael Epley added that the strategy has created the right incentives for industry partners and government officials to share the responsibilities and create the systems they want to see.

“One of the things that we can do is encourage people to use those technologies and make sure that we’re designing our systems to be resilient,” Epley said. “We just need to be dynamic and agile and how we can tailor that to each of the individual concerns. … It’s going to take a lot of guidance and engineering to make in tools to make these things work.”

One of the biggest aspects of the National Cyber Strategy has been its shift of cybersecurity burden to software manufacturers.

“Many of the things that we’re being asked to do, in terms of adding new technologies or capabilities that might affect our cybersecurity posture, are absolutely new,” Epley said. “We need to lead that; we need to work with government and our stakeholders to make sure that we can get from point A to point B without disrupting our existing postures and without disrupting our operational systems.”

ONCD’s newest resource released last week provides direction for how industry could create memory-safe programming languages.

“This is probably one of the most impactful things that our office has done or will do in the foreseeable future,” Stupak said about the report during the panel.