As The Washington Post reports, the expansive roadmap divvies up 69 initiatives across 18 separate agencies. Areas affected through rules covered by the implementation plan include cybersecurity for critical infrastructure and federal agencies as well as accountability for software developers over security lapses. The White House calls the plan “a living document that will be updated annually.”
As Dark Reading reports, while some security professionals hailed the importance of the plan and said its reasonably tight deadlines sent the correct message to stakeholders, some also reiterated concerns about funding for the plan and a lack of bipartisan support from lawmakers. “Creating the legal and regulatory framework for enforcement requires working with Congress, which seems unlikely in our currently divisive political climate," Karen Walsh, cybersecurity compliance expert at Allegro Solutions, is quoted as saying.
Sabeen Malik, VP of global government affairs and public policy at Rapid7, told SDxCentral that the plan “is a great step for both the government and the private sector to find ways to continue partnering together to help the President execute his vision for cyber.” Drew Bagley, VP of counsel of privacy and cyber policy at CrowdStrike, added that “the authors applied significant focus on the broad application of secure-by-design or secure-by-default principles.” ForgeRock CEO Fran Rosch told the publication the plan reflects the U.S. government’s shift to viewing cybersecurity policies as mandatory.
As BankInfoSecurity reports, Black Hat and DEF CON conference founder Jeff Moss enthused on social media, “This is the first time I can remember seeing a document [of] this high-level documenting initiatives, who is responsible for it, and expected completion dates.”
CyberScoop notes that the plan came against a challenging backdrop: a Chinese hacking campaign and a court ruling pausing cybersecurity requirements for U.S. water systems.