Today, the White House unveiled a major new Cybersecurity National Action Plan (CNAP), which focuses on additional efforts to secure Critical Infrastructure and Federal Information Technology (IT); elevates focus on privacy issues through the creation of a permanent Federal Privacy Council; increases consumer-facing education efforts; and addresses workforce development recruiting and educational needs. The plan includes a request to Congress for a 35% increase in cybersecurity funding across the board for a total of $19 billion. The efforts build upon the President's various Cybersecurity Executive Orders and Presidential Policy Directives issued during the course of his Administration.
Commission on Enhancing Cybersecurity
The CNAP also includes a number of immediate action items, such as the creation of the bipartisan Commission on Enhancing Cybersecurity, which will be tasked both with delivering a plan to the President by the end of 2016 as well as looking at medium- and short-term planning needs. The National Institute of Standards and Technology (NIST) will provide support to the Commission. The protection of Critical Infrastructure continues to be a priority, with a focus on the near-term issuance of a National Policy for Incident Response to be released along with associated "severity methodology" for evaluating cybersecurity incidents. The U.S. Departments of Homeland Security (DHS), Commerce and Energy will also create a National Center for Cybersecurity Resilience, which will allow public-private sector partners to simulate cyber-attacks in a controlled environment. DHS will also work with the Underwriters Laboratory (UL) and other industry partners to create a "Cybersecurity Assurance Program," which will test and certify networked devices within the Internet of Things.
Commitments to securing the Federal IT posture continue with the creation of a new Federal Chief Information Security Officer, who will report to Tony Scott, the current federal CIO. Under the proposal, all agencies will be required to modernize their respective IT systems, and the budget request asks Congress for $3.1 billion to create an IT Modernization Fund (ITMF), which the General Services Administration (GSA) will manage. The ITMF will be used to retire legacy systems in the government, move some operations to the cloud, and integrate "security by design," among others. Agencies will be required to pay back the fund through a revolving structure.
The CNAP also includes a privacy focus, through an Executive Order that was issued today. The Executive Order will create a new permanent Federal Privacy Council, which will be comprised of privacy officials from across the government. The Office of Management and Budget (OMB) will participate and will be required to issue a report to the President within four months.
Research and Development
Research and Development is also a continued focus, with the release of the 2016 Federal Cybersecurity Research and Development Plan. The Plan will also include efforts with the Linux Foundation's Core Infrastructure Initiative to provide funding for and include increased security for commonly used Internet "utilities," such as open-source software, protocols, and standards. The CNAP also creates a new Cybersecurity Corps Reserve Program, which will focus on next generation cybersecurity professionals and will offer student loan forgiveness if students join the Federal Government. It will also create a Core Cybersecurity Curriculum to ensure continuity in cybersecurity programs across the board.
International norms and rules of engagement are also critical, and the CNAP cites to the G20 Communique from 2015, which laid out international norms of engagement on cybersecurity. Ongoing bilateral and multilateral agreements will be sought to build upon this effort throughout 2016.