Security and risk leaders beware, the Biden Administration released the next major step in its plan to implement the National Cybersecurity Strategy (NCS) on July 13, 2023. The National Cybersecurity Strategy Implementation Plan (NCSIP) includes 65 federal initiatives across five pillars aimed at increasing cybersecurity investment, assigning federal agencies to specific initiatives, and giving timelines for completion.

Eighteen federal departments and agencies are tapped to lead initiatives, with the Office of the National Cyber Director (ONCD), Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), Department of Defense, Department of Justice, Department of State, Deparmtent of Homeland Security, and the FBI getting the lion’s share of the responsibility. The ONCD and Office of Management and Budget (OMB) will lead the administration’s efforts and make funding proposals. The plan, however, doesn’t include any funding but does reference future budget requests such as the Administration Cybersecurity Priorities for the FY 2025 Budget.

The NCSIP is the implementation plan for the NCS, providing more details on the timeline, how to execute it, and what entity will be responsible for executing it. To learn more about the NCS and each initiative in depth, read our previous blog on the announcement here.

The NCSIP is meant to do two things:

  1. Ensure that the public and private sector address cyber risks against critical infrastructure.
  2. Provide incentives for those committed to long-term cybersecurity investments.

Notably, each pillar has initiatives that directly affect the private sector, encompassing any and all “critical infrastructure.” Use The Forrester Model To Defend Against Nation-State Threats to understand your potential liability to regulations like these and what to expect in the next several years.

Below is a quick overview of each pillar, along with its key initiatives. Each key initiative indicates whether the private sector or federal government will be responsible or affected.

Pillar One: Defend Critical Infrastructure

Pillar One establishes regulations, standards, and directives to support the defense of critical infrastructure — it’s where regulations meet critical infrastructure providers in the public and private sector. It focuses on baseline standards for critical infrastructure, creating a method to provide updates and information to critical infrastructure providers, and modernizing federal cybersecurity infrastructure through tabletop exercises, unification of federal cyber centers, and the modernization of the Federal Civilian Executive Branch.


Pillar Two: Disrupt And Dismantle Threat Actors

Pillar Two is as close to “hack back” as we will likely get — coordinating the disruption of cyberattacks through as many means as possible by the federal government. It includes takedown campaigns, ransomware disruption, legislation, proposals for regulations on infrastructure-as-a-service providers, international relations, and updates to international standards.


Pillar Three: Shape Market Forces To Drive Security And Resilience

Pillar Three continues the government’s emphasis on securing the software supply chain by advancing software bill of materials (SBOM) requirements, initiating internet-of-things labeling, and establishing standards for coordinated vulnerability disclosure. For more on SBOM, check out Janet Worthington’s report, Prepare For Regulatory Requirements On Software Bills Of Materials.


Pillar Four: Invest In A Resilient Future

Pillar Four looks to the future — securing the internet and the workforce against emerging technologies. It focuses on improving the security of the internet, transitioning to more secure technologies such as memory-safe programming languages and quantum-resistant cryptography-based environments, and enabling initiatives like secure-by-design and engineering training to blossom.


Pillar Five: Forge International Partnerships To Pursue Shared Goals

Pillar Five focuses on enhancing cybersecurity capabilities, standards, and assistance with US allies and partners to secure cyberspace. With its international partnerships, the US government will build cyber coalitions and capacity, strengthen law enforcement, hold states accountable, expand foreign assistance for incident response, and promote secure supply chains for information and communications technologies.


The NCS and NCSIP have the potential to bolster the United States’ cyber resilience. This leadership at the national level has been long needed given the fractured nature of US cyberdefense and the reliance of private sector entities to defend themselves against nation-state actors.

While these are positive steps, these initiatives will push additional regulation to the private sector, especially critical infrastructure. Security and risk leaders will have to plan for and adapt to these changes as they are introduced.

Stay tuned for additional blogs and research as the NCS moves forward. Forrester clients can schedule an inquiry or guidance session to discuss any of the topics mentioned in this blog and how they may impact them.


We’re excited to announce that we’re accepting entries for The Security & Risk Enterprise Leadership Award! This is an excellent opportunity to showcase how your organization builds trust and to gain recognition for your efforts. We can’t wait to see how you have transformed security, privacy, and risk management to drive trusted relationships with customers, employees, and partners to fuel your organization’s long-term success.

The deadline for submissions is Friday, August 11. To view complete award nomination criteria and submit an entry, visit here.