The White House announced last Thursday its highly anticipated National Cybersecurity Strategy (NCS). Although largely aspirational and short on concrete plans, the 39-page NCS is the Biden administration’s most ambitious statement to date about how it intends to foster and secure the digital ecosystem. Much of the focus is on leveraging existing mechanisms for enhancing cyber resilience in federal agencies and departments, including continuing to hold accountable technology companies with government end users. Other key focus areas include bolstering law enforcement efforts to disrupt and dismantle threat actors, and sharing threat information across the public and private sectors. However, other provisions would bring potentially sweeping changes to private enterprise. Most notably, the NCS endorses legislation that would shift liability for security incidents to software providers. Here, we highlight several key provisions and identify some potential implications.
1. Shifting Liability for Data Security Incidents
The NCS calls for legislation that shifts liability onto entities that fail to take reasonable precautions to secure their software products and services. It would do so, in part, by preventing manufacturers and software publishers from fully disclaiming liability in their contracts and by establishing higher standards of care for software in specific high-risk scenarios. In particular, the administration would put more responsibility on cloud computing companies for securing their customers’ data. But the NCS states that it is shaping, not stifling, market forces and would seek to create a safe harbor for companies that “securely develop and maintain” their products.
Software manufacturers with United States federal government end users may recognize the callout to the NIST-based Secure Software Development Framework, which garnered much attention after the Office of Management and Budget (OMB) issued a memo last September to federal agencies requiring an attestation about secure software practices before agencies could use software developed outside of the federal government. For more about the required attestation to federal agencies, read our previous client alert.
Cloud service providers already doing business with the U.S. federal government may recognize the prominent mention of zero trust. The drumbeat of calls for a zero-trust security model to enhance the current boundary-based security system for cloud services used by the federal government grows louder.
2. Minimum Requirements for Critical Infrastructure
The NCS would leverage the federal government’s massive procurement authority to continue to require government contractors, especially those providing critical infrastructure, to satisfy minimum required cybersecurity standards. Those requirements could form the basis of consistent requirements beyond those with federal contracts. The NCS observes that, “[w]hile voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” The administration envisions a coordinated effort among the federal government, states and sectoral regulators to:
- Impose robust and clear limits on data collection, transfer, use and maintenance consistent with NIST standards, with enhanced protections for sensitive data like geolocation and health information;
- Identify and remove statutory hurdles to cybersecurity regulations, particularly in the realm of cloud-based services; and
- Secure Internet of Things (IoT) devices through research and development, procurement, risk management and security labeling.
3. Stabilizing Cyber Insurance Markets
The NCS likens a catastrophic cyber incident to a hurricane or earthquake, capable of crippling the economy absent government intervention, and acknowledges that such situations may warrant government aid in recovery. Rather than rushing to create an aid package after the fact, the NCS calls on Congress, state regulators and industry stakeholders to work with the administration to proactively assess and develop possible structures for a federal insurance response to catastrophic cyber events. This would, in the administration’s view, provide some level of certainty in cyber insurance markets.
4. Bolstered Reporting Requirements and Threat Intel Collaboration
The NCS also envisions enhanced cyber incident preparedness and threat intelligence sharing. It taps the Cybersecurity and Infrastructure Security Agency (CISA) to update the National Cyber Incident Response Plan to harmonize response procedures across various government agencies. CISA will also work with other stakeholders to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires covered entities in critical infrastructure sectors to report incidents within hours, a requirement already in place for some government contractors, such as cloud service providers with a FedRAMP-based authority to operate and any company doing business with the U.S. Department of Defense. The NCS also aims to increase the speed and scale of intelligence sharing between the public and private sectors, including by eliminating barriers to classified clearances where appropriate. And it seeks to facilitate the government’s access to private-sector threat intelligence by encouraging participation in nonprofit organizations like the National Cyber-Forensics and Training Alliance
and other hubs for operational collaboration with the federal government.
What to Expect
Cybersecurity regulation in the U.S. today is a patchwork of state, sectoral and contractual rules that, to date, have not coalesced into a single, broadly applicable framework. But there is a general government trend in that direction, as cyber regulators and procurement offices increasingly borrow from the same regulatory playbook and today’s best practices become tomorrow’s statutory requirements. This coalesced cybersecurity framework will also benefit companies accepting federal grants and those doing business with the federal government, as those companies may already have implemented some of the cybersecurity requirements. The harmonized cybersecurity requirements may also level the playing field for those companies seeking federal funds and customers in the future.
The NCS is plainly an attempt to put those forces into overdrive. Companies should anticipate broader adoption of standards already promulgated by forerunner regulators, like the New York Department of Financial Services’ Part 500, which mandates increasingly more demanding minimum standards and impose all-of-company cyber governance obligations on executives and directors. Those seeking government contracts should expect more demanding review of cyber preparedness in the bid diligence process and continued enforcement by the DOJ’s Civil Cyber Fraud Initiative. And if the liability-shifting provisions come into effect, we may see stiffer consequences for companies who collect, store and manage—but fail to reasonably secure—personal data.
The NCS, above all else, reflects that the government is focused on cybersecurity and expects public enterprise to be as well. Although it remains to be seen if the administration can meet its legislative objectives, companies would do well to consider:
- reviewing their overall cybersecurity posture, including their incident detection and response plans and third-party vendor relationships;
- building relationships with law enforcement and public-private partnerships to report and exchange cyber threat intelligence;
- calibrating their cyber practices to minimum security standards like NIST to ensure procurement eligibility; and
- placing greater emphasis during the development cycle on securing distributed software, particularly if the administration succeeds in its goal of shifting liability to developers.
For more information, please contact Fenwick’s Cybersecurity
and Government Contracts and Public Sector Procurement attorneys.