The White House has released the implementation plan for the key “pillars” in the National Cybersecurity Strategy that was published in March and discussed in our prior blog post. The implementation plan represents another step forward in the Administration’s efforts to expand the cybersecurity regulatory footprint and establish or otherwise shift roles, responsibilities, and liabilities, placing greater obligations on critical private sector entities that will require deliberate analysis and management.
I. Key Elements
The plan sets forth 65 initiatives and is particularly notable for the Administration’s effort to push certain categories of companies to bear more responsibility (and liability) for security. While a number of the initiatives place particular responsibilities on various federal agencies, companies should pay particular attention to certain elements that focus on shifting liability to private actors and on emerging compulsory standards for critical infrastructure providers.
1. Shifting Liability to Private Actors.
- A new liability framework for software products and services (Initiative 3.3.1) – The plan aims to establish a legislative framework for a liability regime for software products and services, and will pursue that goal through a symposium hosted by the Office of the National Cyber Director to discuss the regime and concomitant standards of care for industry. Legislation would be required to make those standards actionable (in particular through legislative safe harbors that will shape the contours of responsible behavior).
- Software bill of materials (SBOM) (Initiative 3.3.2) – The plan pushes for increased transparency into software products and possible vulnerabilities by requiring precise documentation of software used in critical infrastructure through the expanded use of (SBOM, which require software developers to keep a detailed inventory of the components of any new software.) Such records are essential to understanding the origins of code and tracing potential problem sources, as was required when the Log4j vulnerability led to widespread efforts by companies to identify their reliance on such code.
- Federal procurement (Initiatives 3.5.1 and 3.5.2) – The plan calls for stricter government review of the execution of security obligations within federal contracts. The Administration anticipates releasing new federal acquisition rules that focus on cybersecurity incident reporting, standardized cybersecurity contract requirements, and secure software. Indeed, even companies that do not directly contract with the government will be impacted by derivative requirements. Critically, the Department of Justice will continue to pursue government contractors for failing to meet cybersecurity obligations through the Civil Cyber-Fraud Initiative—through which DOJ has already been obtaining multi-million dollar fines against companies for failing to comply with cybersecurity commitments in government contracts under the False Claims Act—and the new acquisition rules will likely provide a broader foundation for such actions.
2. Compulsory Federal Standards for Tech and Critical Infrastructure.
- Critical infrastructure security (Initiative 1.1.2) – The National Security Council (NSC) will lead the continued regulatory expansion of definitive cybersecurity requirements through all critical infrastructure sectors. The NSC will rely upon regulators to identify potential weaknesses in their sectors, and aims to have security requirements in place halfway through fiscal year 2025.
- Infrastructure-as-a-Service security (Initiative 2.4.1) – The plan directs the Department of Commerce to propose rules by the end of the year to implement an executive order establishing risk management standards for Infrastructure-as-a-Service (IaaS) providers and resellers. Given concerns expressed in the strategy released in March, we would expect the rules to focus on know-your-customer requirements and other regulatory means of mitigating the risk that malicious foreign actors pose to accessing and taking advantage of American technology providers.
- CIRCIA (Initiative 1.4.2) – Implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) continues apace. This initiative directs the Cybersecurity and Infrastructure Agency to take steps towards and finalize implementing regulations for critical infrastructure cyber incident reporting by the end of fiscal year 2025. Among other things, these regulations are expected to have mandatory reporting requirements for incidents and ransomware payments for companies in covered critical infrastructure sectors.
The plan confirms that the Administration will continue to push for aggressive federal regulation of cybersecurity. As legislation emerges shifting liability to the privacy sector, companies involved in software development need to take steps to make sure that the emerging standards are taken into account in the software development process. In addition, all companies, but especially technology providers, those in critical infrastructure sectors, financial institutions, and government contractors, should consider preparing for increased governmental scrutiny by:
- Determining the likelihood that their sector or business will fall within the scope of one or more of these initiatives;
- Assessing risks and potential vulnerabilities, and reviewing and updating governance controls in contemplation of the emerging standards;
- Evaluating procedures for incident reporting and information sharing with an aim towards quickly actionable incident assessment, escalation, and reporting protocols; and,
- Monitoring draft federal acquisition rules and reviewing any federal contract obligations to ensure commercial capabilities are geared towards achieving compliance.
This article has been co-authored by summer associate Anne Klok.