What Does the 2023 National Cybersecurity Strategy Implicate for the Private Sector and Federal Contractors?
August 2, 2023
For the past 20 years, U.S. presidents have released documents outlining the nation’s cybersecurity priorities for their respective presidential terms. Although these documents have long existed under different names, they all follow a similar structure and clearly defined purpose: to realign future efforts to benefit coming priorities.
On March 2nd, 2023, the Biden Administration released its National Cybersecurity Strategy. This year, the Strategy prioritizes five pillars:
- Defense of critical infrastructure
- Disrupting and dismantling threat actors
- Shaping market forces to drive security and resilience
- Investing in a resilient future
- Forging international partnerships to pursue shared goals
The Strategy emphasizes the importance of robust cybersecurity measures and safeguarding sensitive data in all sectors, including federal contracting. The synergy between the pillars shifts the burden from the end-user to the most capable stakeholders by calling on the private sector to increase efforts in areas such as cyber awareness, cybersecurity resiliency, doubling down on Zero Trust Architecture (ZTA) to sponsor a fortified security framework, and promoting adherence to new contractual language. Contractors working with the government can anticipate increased scrutiny and stricter requirements to meet the Strategy’s objectives and increased collaboration as both the public and private sectors address emerging cyber threats and share best practices. The Strategy aims to bolster the nation’s defenses against cyber threats, and contractors are crucial in this endeavor. Thus, they must adjust their cybersecurity practices to align with the Strategy’s guidelines to ensure the security of government systems and data.
Increased Cybersecurity Resiliency
For the United States, increasing its cybersecurity resilience means creating a costlier digital ecosystem to attack than to defend. In simpler terms, it refers to an ecosystem in which sensitive or private information is secure and protected and where neither incidents nor errors cascade into catastrophic, systemic consequences. Establishing such a system requires well-organized public and private collaboration that holds both parties accountable to a high-security standard. The 2023 Strategy pushes this forward by capitalizing on public-private partnerships to enhance threat detection, protect critical infrastructure sectors, and shape the market to prioritize robust cyberinfrastructure.
Stemming from the new Strategy, a partnership between the federal government and its contractors will entail the private sector carrying a larger share of the burden. The increased responsibility is primarily due to private sector providers often having the means to secure and provide high-standard software and the tools to increase resiliency to an extent greater than the government can. The federal government projects it will spend approximately $10.9 billion in 2023 for civilian cybersecurity funding, including protection, threat hunting, and emergency preparedness funding allocation. However, cyber experts predict the market size for the cybersecurity sector in 2023 to be at least 17 times that amount. This increase means the private sector’s financial and provisional support is critical to maintaining the U.S.’ cybersecurity edge.
Doubling Down on Zero Trust Architecture (ZTA)
Zero Trust Architecture, or ZTA, is a security framework that requires all users to be authenticated and authorized continuously for security configuration before being granted access to applications and data. Zero Trust principles benefit agencies looking to enhance productivity, migrate to Cloud services, and maximize risk mitigation. The Memorandum for the Heads of Executive Departments and Agencies sets forth a federal ZTA strategy that requires agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns. Implementing ZTA means adopting practices such as Multi-Factor Authentication, enterprise-managed accounts, and isolated agency systems such that network traffic is siloed and less prone to spill-over effects in the case of an attack.
Federal Civilian Executive Branch (FCEB) Agencies, such as the Department of Energy (DOE) and the Department of Homeland Security (DHS), have already begun implementing ZTA architecture. Now, the federal government calls on the private sector to ramp up efforts for the industry. The industry, which includes individual users and small businesses, plays a significant role in the nation’s overall ability to remain cyber-protected. Civilians, compared to the government, compose a larger majority; thus, any lapse in judgment, as minor as it may seem, could have grandiose consequences. The Strategy explicitly outlines that America’s collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens, urging the private sector to step in.
New Contractual Language
Another likely effect of the Biden 2023 Cybersecurity Strategy is introducing new contractual language and provisions prioritizing cybersecurity measures. Government agencies may expect contractors to implement and maintain strict cybersecurity protocols, conduct regular assessments, be subject to more frequent audits, and demonstrate their ability to safeguard government data effectively. Enforcing contracting requirements has proven to be an effective means of fostering sound cybersecurity practices and ensuring adherence to established standards. When contractors partner with the government, they willingly embrace the responsibility of adhering to contractual language that aligns with the rigorous standards of the Cybersecurity Infrastructure Security Agency (CISA). This commitment to abiding by CISA’s standards has become a prevalent and commendable best practice within federal government-contractor collaborations, given the sensitivity intrinsic to most data. Introducing new contractual language that doubles down on the appropriate procedure for handling data and following cybersecurity protocols compels interested parties to elevate standards in their business transactions with federal entities.
Preparing for a New Future
Post-quantum, a future in which quantum computing becomes the norm or, at the very least, widely accessible, is a critical topic in America’s cyber future. At the moment, quantum computing and its advanced software pose a direct challenge to the encryption and security efforts the current administration puts forward in its Strategy. The Strategy calls for a preventative transition of its most fragile public services to quantum-resistant environments to increase resilience through risk mitigation. To accomplish this transition, an increase in research and development (R&D) to combat quantum threats is imminent. The Biden Strategy states that the federal government will spearhead the initiative to set the ultimate example for others, including the industry. However, in the long run, this transition of public services to quantum-resistant environments will involve an even heavier burden on the private sector, given the enormous capital needed to fund operational technology migration and R&D investments.
How WBD Is Helping
Washington Business Dynamics has over a decade of experience providing cybersecurity support to our federal clients. Our experts support the transition to robust cyberinfrastructure and increase workforce-wide understanding of complex cyber topics. Through our human-centric strategic approach, WBD ensures prioritizing requirements, optimizing resource and information distribution when needed, identifying investment opportunities in diversifying markets, and mitigating risks through analyses. Through our strategies, WBD increases the overall cybersecurity awareness that helps our clients make better decisions.
Author: Anneli Sánchez-Ortiz, Associate at WBD, is a cyber policy and foreign affairs professional engaged with the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA).