White House’s National Cybersecurity Strategy Implementation Plan (NCSIP)

Topics:
Cryptography
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
Axel Wirth
Axel Wirth

July 26, 2023

White House’s National Cybersecurity Strategy Implementation Plan (NCSIP)

Following the release of the National Cybersecurity Strategy (NCS) in March of this year, the Biden-Harris Administration followed up with a National Cybersecurity Strategy Implementation Plan (NCSIP) in July. Both documents express the urgency to improve US government and critical infrastructure cybersecurity posture and recognize the growing cyber threats to our citizen, economy, and sensitive information. This critical infrastructure includes healthcare and by extension medical devices.

The aim of the National Cybersecurity Strategy is to strengthen the collaboration among stakeholders to defend critical infrastructure, disrupt and dismantle threat actors, help shape market forces to drive security and resilience, invest in a more cyber-secure future, and forge international alliances in support of these goals.

One clear message that strategy and implementation plan deliver is the need to shift cybersecurity responsibility from the end user (such as the owners or operators) to the biggest, most capable, and best-positioned entities — meaning producers of software and devices will need to assume a greater share of the burden for reducing cyber risk. It also includes incentives to favor long-term investments into cybersecurity.

Those in the medical device industry will recognize parallels with other government initiatives, including H.R.2617 — Consolidated Appropriations Act (Omnibus Bill, Dec. 2022, being the first federal laws requiring medical device security), giving FDA explicit authority on cybersecurity, as demonstrated through the “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices” (under Section 524B of the FD&C Act).

The Cybersecurity Implementation Plan details more than 65 high-impact Federal initiatives, from protecting American jobs by combating cybercrimes to building a skilled cyber workforce equipped to excel in our increasingly digital economy.

The NCSIP is built around the NCS pillars and strategic objectives:

  1. Defending Critical Infrastructure: coordinated incident response between government and private sector with CISA being tasked to update the National Cyber Incident Response Plan to realize an approach of “a call to one is a call to all.” as well as defining the roles and capabilities of Federal agencies in incident response and recovery.
  2. Disrupting and Dismantling Threat Actors: with ransomware being a particularly prominent and disruptive format of cyber attack, the plan proposes a Joint Ransomware Task Force. FBI will work with Federal, international, and private sector partners to carry out disruption operations against the ransomware ecosystem. CISA, will be offering resources such as training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets, like hospitals and schools.
  3. Shaping Market Forces and Driving Security and Resilience: Increasing software transparency allows market actors to better understand their supply chain risk and to hold their vendors accountable for secure development practices. CISA continues to lead work with key stakeholders to identify and reduce gaps in software bill of materials (SBOM) scale and implementation.
  4. Investing in a Resilient Future: U.S. leadership in technical standards is essential to the security of cyberspace. The National Institute of Standards and Technology (NIST) will coordinate issues in international cybersecurity standardization and enhance U.S. federal agency participation in the process. NIST will also finish standardization of one or more quantum-resistant public key cryptographic algorithms.
  5. Forging International Partnerships to Pursue Shared Goals: Cyberspace is global and requires close collaboration with partners and allies. The Department of State will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities.

A total of 18 agencies will be leading these initiatives and whole-of-government approach, demonstrating the deep commitment to a more resilient, equitable, and defensible cyberspace.

What’s next:

The cybersecurity industry is no longer future gazing at what the impact on medical devices will be. Instead the reality we are living everyday shows establishing a proactive cybersecurity program is an imperative for businesses to thrive. This is a hard problem to address and requires collaboration across multiple-functions that sometimes have conflicting motivators (see our white paper here which outlines some of these).

The message delivered across government initiatives, from White House to FDA, is clear — medical devices need to be “secure by design” and “secure by default”, thus relieving the burden from hospitals to secure these devices on their networks.

Further Reading:

MedCrypt provides medical device cybersecurity products and services that meet regulatory guidance requirements. Schedule a meeting with us at info@medcrypt.com and learn more about our solutions.

Related articles

2024 H-ISAC Fall Summit: Cybersecurity in Healthcare with Medcrypt
This is some text inside of a div block.

2024 H-ISAC Fall Summit: Cybersecurity in Healthcare with Medcrypt

Thought leadership
This is some text inside of a div block.
Company
This is some text inside of a div block.
All authors
All authors

The Overlooked Cyber Threat to Diagnostic Devices: Lessons from Synnovis Cyberattack and Beyond
This is some text inside of a div block.

The Overlooked Cyber Threat to Diagnostic Devices: Lessons from Synnovis Cyberattack and Beyond

Tools & processes
This is some text inside of a div block.
Vulnerability management
This is some text inside of a div block.

December 13, 2024

Navigating the Evolving Landscape of Medical Device Cybersecurity
This is some text inside of a div block.

Navigating the Evolving Landscape of Medical Device Cybersecurity

Thought leadership
This is some text inside of a div block.

December 4, 2024

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information