Understanding the impact of the National Cybersecurity Strategy on governance, risk and compliance

In a move to formalize and standardize a nationwide approach to cybersecurity, the White House recently announced its National Cybersecurity Strategy. It’s designed to serve as a commitment to devote attention and resources to mitigating growing cyber risk, with the Federal government playing a crucial role.

Now is a crucial time to drive a unified focus on cybersecurity. High-profile incidents have rocked the United States and the world in recent years, and the rate of successful cyberattacks is steeply on the rise. The National Cybersecurity Strategy aims to break down silos and foster collaboration between federal and local entities to increase security, particularly for critical infrastructure.

Strategy pillars

This National Cybersecurity Strategy is supported by five pillars:

1. Defend Critical Infrastructure by defining a collaborative defense model with a foundational level of resilience and security and distributing risk and responsibility for effective management.
2. Disrupt and Dismantle Threat Actors by strengthening defenses and integrating law enforcement, financial, intelligence, military, diplomatic and information capabilities. This pillar identifies the need for collaboration between public and private sectors for maximum efficacy.
3. Shape Market Forces to Drive Security and Resilience by leveraging federal grant-making and purchase power to incentivize security and risk mitigation. By promoting practices that enhance security, the burden of poor cybersecurity will shift away from the most vulnerable in the ecosystem.
4. Invest in a Resilient Future looks toward the future and acknowledges the need for collaboration and strategic investments to build a sustainable, secure digital ecosystem. The federal government will invest in R&D, innovation and education and build a new generation of digital infrastructure, including telecommunications and IoT.
5. Forge International Partnerships to Pursue Shared Goals enforces the importance of global collaboration for true digital security. The federal government aims to form a coalition of nations to ensure a free, open, interoperable, reliable and secure internet for all.

The foundation of effective strategy

The impetus for the National Cybersecurity Strategy is a prioritization for collaboration and standardization. Each pillar takes steps to increase collaboration - among public and private sectors, key organizational entities and governmental agencies, such as the National Security Council (NSC), Sector Risk Management Agencies (SRMAs), the Cybersecurity and Infrastructure Security Agency (CISA) and others.

By developing clear and replicable models at the federal level, the strategy will empower local entities nationwide to build security and resilience. Scaling and replication require governance and compliance to minimize risk.

Key regulations and governance aspects include:

Breach notification

The old adage time is money is particularly true in cybersecurity. The rate at which risk is addressed and reported can have a deep impact on whether it is successful or replicated in other parts of the network.

Strategic objective 2.3 commits to increasing the speed and scale of threat intelligence sharing and holds both public and private sectors to strict reporting standards. The federal incident response policy is also being revised.

Regulatory frameworks

As established in the strategy, “Regulation can level the playing field.” The strategic environment will incorporate agile, modern regulatory frameworks tailor-fit for individual risk profiles. From the strategy, objective 1.1:

“New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities and their employees, customers, operations and data.”

At the time of the strategy announcement, the Biden administration had established requirements in the critical infrastructure sector, including natural gas and oil pipelines, rail and aviation, and public water systems.

Ongoing regulations will be performance-driven, leverage existing frameworks, and will be designed with the agility required to meet the ever-evolving threat landscape.

Affordability

Regulatory requirements should be manageable, accessible and cost-effective. The strategy acknowledges that different sectors have unique risk profiles, capacities and resources to meet regulatory requirements and ensure public safety.

The Biden administration promises to work with Congress to form a regulatory authority and develop frameworks taking individual needs and abilities into account. Some sectors will see regulation as a means to level the playing field and eliminate the race-to-the-bottom competition for cybersecurity spend. In other sectors, regulators will ensure cybersecurity investments are incentivized through tax structures and other means.

Focus on governance, risk and compliance

The cybersecurity threat landscape is growing every day. This digital-first world is driven by a demand for convenience, interoperability and a growing digital dependency. As both public and private sectors embrace emerging technologies and complex systems, reliable security measures often feel like a moving target. This is particularly true as self-governing local and global threat actors find innovative ways to exploit weaknesses.

Governance, risk and compliance (GRC) are the backbone of the National Cybersecurity Strategy, helping to foster collaboration and standardization to achieve network security and resilience and ensure public safety. Security-minded organizations must stay informed on GRC guidelines and approaches.

Learn everything you need to know about CGRC in the Ultimate Guide.