On March 1, 2023, the Biden Administration released the National Cybersecurity Strategy (NCS) to defend the nation against cyberattacks. The plan cites five pillars that outline objectives to create a “defensible, resilient digital ecosystem.” On the surface, the strategy appears to apply to government leaders and agencies. Yet, many objectives within the document will likely affect businesses across all industries. This article lists the five pillars of the NCS along with three ways the plan probably will affect your business.

The Five Pillars of the National Cybersecurity Strategy

• Defend Critical Infrastructure
• Disrupt and Dismantle Threat Actors
• Shape market Forces to Drive Security and Resilience
• Invest in a Resilient Future
• Forge International Partnerships to Pursue Shared Goals

Three Ways the NCS Will Impact Businesses

You may think that if your business isn’t related to critical infrastructure, you’re in the clear. That’s not necessarily true. In fact, it’s highly unlikely. To develop a harmonious nationwide cybersecurity resilience, requirements across industries will follow a similar thread. While some businesses will be affected more than others, all organizations are likely to experience these vital changes.

Increased Cybersecurity Regulations

The first pillar of the NCS outlines objectives to defend critical infrastructure, including expanding minimum cybersecurity requirements in critical sectors. However, several key phrases in this pillar suggest new minimum requirements will be adopted in the private sector as well.

For example, the plan identifies the digital ecosystem as critical infrastructure, calls for public-private collaboration, and recognizes that a large majority of critical infrastructure is owned and operated by the public sector. This likely suggests that businesses that rely on digital technology to conduct business will fall under the same regulations. It’s reasonable to assume that minimum security standards will be imposed across all industries.

The first objective in Pillar 1 notes that cybersecurity regulations for critical infrastructure should be performance-based and follow established standards like NIST and CISA’s Cybersecurity Performance Goals. This clarification gives businesses with minimal security measures a good starting point to prepare for looming regulation changes.

Liability for Software Products

In the opening statement of the strategy, one of two “fundamental shifts” needed to reach the goals set out by the new plan is to “rebalance the responsibility to defend cyberspace.” The third pillar expands upon this theme with objectives to “hold the stewards of our data accountable,” “drive the development of secure IoT devices,” and “shift liability for insecure software.”

In the interest of protecting data, NIST guidelines are mentioned again. As practically all businesses store personal data, this objective hints that all industries will likely have minimum requirements based on NIST.

Yet, the call to shift liability for insecure software products and services in objective three of the third pillar is likely to draw more attention. It states that software companies will be held to a stricter standard and be held liable for security flaws. This will put a significant burden on software developers and engineers.

Supply Chain Changes

The fifth pillar focuses on forging international partnerships and includes several objectives directed at national leaders surrounding policy changes. Yet, these partnerships will also affect businesses. International collaboration suggests that regulations for businesses in the U.S. might align more closely with those in other countries.

Objective 5 in the fifth pillar calls to secure global supply chains. While the requirements in this section directly relate to governments working across nations to develop new practices and regulations, it also states that partners that don’t comply will be omitted. The call to “work to shift supply chains to flow through partner countries and trusted vendors” suggests that companies and even entire countries that don’t agree to become trusted partners or fail to meet compliance requirements will lose the opportunity to participate in the global supply chain.

The fallout of these requirements could be minimal since the plan will require roll-out implementation over a period of years. However, organizations should be prepared to be affected by supply chain changes and have options to maintain business operations.

Overall, the plan calls for sweeping changes that will provide long-term protection and resilience for the digital ecosystem our country has come to depend on. This will only be achieved if every business takes part in meeting cybersecurity regulations.

Sources:
1. whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-Biden-Harris-administration-announces-national-cybersecurity-strategy/
2. whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf