This is the twenty-third in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through February 2023. This blog describes key actions taken to implement the Cyber EO during March 2023.
Biden Administration Announces National Cybersecurity Strategy
On March 2, 2023, the White House published the U.S. National Cybersecurity Strategy, which is poised to place significant responsibility for cybersecurity on federal contractors, technology companies, and critical infrastructure owners and operators. The Strategy articulates a series of objectives and recommended executive and legislative actions that, if implemented, would increase the cybersecurity responsibilities and requirements of these types of entities. For example, the Strategy calls for legislation to establish liability for software vendors that fail to take reasonable precautions to secure their software. A more detailed summary of the Strategy’s key elements is available on our blog discussing the release of the Strategy.
Since the release of the U.S. National Cybersecurity Strategy, several federal agencies have published new cybersecurity requirements and guidance in line with the Strategy’s shift towards a more regulatory-focused cybersecurity approach. For example:
- The U.S. Environmental Protection Agency (“EPA”) published a memorandum requiring states to evaluate the cybersecurity of operational technology used by public water systems;
- The U.S. Transportation Security Administration (“TSA”) issued an emergency amendment with new cybersecurity requirements for airport and aircraft operators;
- The U.S. Department of Health and Human Services (“HHS”) released an updated version of its Cybersecurity Framework Implementation Guide; and
- The Federal Energy Regulatory Commission (“FERC”) approved a new Reliability Standard “adding new requirements focused on supply chain risk management for low impact bulk electric system (“BES”) Cyber Systems.”
Similarly, on March 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) announced the issuance of updated Cybersecurity Performance Goals (“CPGs”), which were referenced within the Strategy. The CPGs, which were originally released in October 2022, are intended to establish a set of fundamental cybersecurity practices to be voluntarily implemented by critical infrastructure owners and operators across all critical infrastructure sectors. The recent update more closely aligns the CPGs with the NIST Cybersecurity Framework (“CSF”) functions. Please see our blog on the updated CPGs for a more detailed discussion.
Moving forward, we will continue to keep you informed of actions to implement the new Strategy.