Mastering National Cybersecurity Strategy Compliance with PwC
Meet the Authors
Key Takeaways
⇨ The White House recently unveiled a National Cybersecurity Strategy that will reshape security and compliance demands.
⇨ Software companies will soon be liable for their cybersecurity failures and new regulations will aim to keep crucial technological infrastructure.
⇨ Organizations should reach out to government cybersecurity bodies to shape new laws and prepare for new regulations.
The U.S. federal government recently unveiled the implementation plan for the National Cybersecurity Strategy. According to a White House press release, the plan aims to enact two major shifts in how the U.S. addresses concerns to cybersecurity. They are “ensuring that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk” and “increasing incentives to favor long-term investments into cybersecurity.”
All in all, there are 18 agencies that will be responsible for setting up controls and regulations as the government works with private companies to ensure that the U.S. economy remains resilient against cyberattacks.
This implementation plan was released just four months after the strategy document for the plan itself. This blistering pace indicates how seriously the federal government is addressing these concerns and how swiftly organizations will have to act to keep pace and remain compliant.
Preparedness
To help organizations prepare for the changes this strategy will bring, PwC published a guide for companies so they can know what to expect. There are dozens of initiatives baked into the cybersecurity plan, but PwC highlighted three important points:
- The strategy intends to hold software companies liable for cybersecurity failures.
- It proposes regulations to protect critical infrastructure.
- It advances a “defend-forward” approach coupled with law enforcement actions to disrupt malicious actors.
Accountability
Perhaps the biggest shift from the National Cybersecurity Strategy is that software companies will soon be liable for their cybersecurity failures. Companies will be able to apply for a US Cyber Trust Mark, which indicates their products meet federal security standards.
To meet this standard, it is crucial that organizations are prepared to meet this standard. Companies should also ensure that their teams have the flexibility and agility to keep up with frameworks as they shift and evolve.
Regulations
As more and more critical business functions require online infrastructure, the threat posed by a significant cyberattack grows. One of the three prongs of the federal government’s plan is to establish an initiative for cyber regulatory harmonization.
By spring of 2025, the Office of the National Cyber Director and the Office of Management and Budget aim to have requirements set for baseline cybersecurity requirements for critical infrastructure. As part of this initiative, government agencies are working to standardize foundational internet infrastructure capabilities.
PwC recommends that major organizations prepare to participate in the planning stages of these initiatives. Organizations can communicate their challenges to the ONCD and the OMB, though fact-finding is set to be completed by the end of 2023.
Defend-Forward Approach
The third part of the cybersecurity plan aims to prevent attacks before they occur. The “defend-forward” approach will rely on cooperation between the FBI, DOJ, CISE, State Department, and Treasury Department among others. This will help find and disrupt malicious actors before they can launch attacks. To best assist these organizations, companies should share information whenever possible and participate in coordinated responses to cyberattacks.
Conclusion
Though it does lay some burden on companies, the federal government’s National Cybersecurity Strategy can end up being a positive. Organizations all around the world will benefit from reduced cybersecurity incidents.
PwC recommends that organizations take proactive measures to prepare for these imminent changes. First, companies should engage with regulators. This allows companies take offer input so that their concerns are heard and that they are not blindsided by new regulations.
Companies should also enact a thorough examination of their own cybersecurity apparatus. That way, they can ensure that they are able to mitigate all threats and remain agile enough to comply with new regulations.