The Matrix

The National Cybersecurity Strategy defines five pillars, involving critical infrastructure, threat actors, market forces, future investments and foreign partnerships. This blog post focuses on the collective federal policy initiatives and directives detailed amongst these pillars which will impact U.S. businesses who directly or indirectly provide goods and services to the U.S. federal government. A companion blog post describing how the National Cybersecurity Strategy should be considered by U.S. businesses will be available shortly. 

The federal government will be looking to make strategic investments and upgrades to federal technology infrastructure. Tactics will include modernizing federal systems and the legacy systems in place across federal civilian agencies, as well as to implement funding mechanisms to support adequate cybersecurity infrastructure. New regulations will be put into place to support critical business sectors and these will likely flow down to third party service providers and industry engaging with or supporting agencies. A separate tactic will require harmonization and streamlining of existing regulations.

The federal government will be building enhanced cybersecurity resilience expectations into available funding programs. Tactics identify building resilience expectations into federal grant opportunities and developing funding for critical infrastructure, such as the Bipartisan Infrastructure Law, the Inflation Reduction Act, and the CHIPS and Sciences Act. Tactics also include providing separate funding initiatives to develop cybersecurity resilience goals more broadly across U.S. industries. Companies who have entered into federal contracts may already be subject to Executive Order 14028. A tactic to improve accountability in federal procurement includes empowering the Department of Justice authorities to hold accountable entities or individuals who knowingly provide deficient cybersecurity products or services, knowingly misrepresent security practices or protocols, or knowingly violate obligations to monitor and report cyber incidents and breaches under the existing authorities of the federal False Claims Act. Third party service providers and government contractors should carefully evaluate representations made to the federal government with respect to cybersecurity practices.

The federal government will be continuing its ongoing strategies to regulate and secure global supply chains for information, communications and related technology products and services that support communications and store or transmit sensitive data. The National Cybersecurity Strategy reaffirms existing efforts that restrict the use of foreign-supplied goods and services, including digital services, in federal procurement as well as broader commercial markets that target sensitive personal data.

Federal contractors and companies supporting federal projects should carefully review the new National Cybersecurity Strategy and monitor applicable regulations that may require new or enhanced cybersecurity requirements or alter product developing and sourcing relationships. These companies should also evaluate current or future plans to utilize generate artificial intelligence products and ephemeral messaging platforms as part of business processes or systems that will support federally funded projects.