Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Find and prevent compliance failures
Continuous Delivery for Puppet Enterprise
Build, test, and deploy infrastructure as code faster and easier
Compliance Enforcement Modules
Remediate to stay in compliance
Content & Modules
Pre-built scripts to automate common tasks
Get Puppet Enterprise
First 10 nodes are free!
Try it now
Request a demo
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
The Biden-Harris administration released the National Cybersecurity Strategy on March 2, 2023. The national cyber strategy document establishes expectations and offers guidance on how the United States government intends to protect the country’s digital assets and critical infrastructure from the threat of cyberattacks.
To help you understand the U.S.’s new national cyber strategy, this post will dive into the highlights, who needs to worry about it, and what the 2023 National Cybersecurity Strategy means for your IT and infrastructure.
Table of Contents
The National Cybersecurity Strategy is a document from the U.S. Federal Government that recommends improvements to American cybersecurity. Key strategies include collaborating with private entities, expanding the federal workforce, and protecting critical infrastructure.
The National Cybersecurity Strategy was published by the Biden-Harris Administration on March 2, 2023, and is the latest in a long list of White House communications pertaining to cyber defense.
Some recent Presidential communications on cybersecurity include:
As expected, the latest strategy reiterates many of the previous recommendations, including the need for increased communication and collaboration amongst government agencies, and improved incident response. The new document unsurprisingly singles out the “governments of China, Russia, Iran, and North Korea” as the primary (but not only) threat actors to “U.S. national security and economic prosperity.”
The 39-page National Cybersecurity Strategy is a roadmap for new laws and regulations to help the U.S. prepare for existing and emerging cyber threats and threat actors. It aligns numerous strategic objectives under five pillars:
It will take time for these objectives to translate into actionable laws and regulations but many of the strategies are deeply familiar to cyber-security experts.
Other elements of the strategy broach the possibility of a federal cyber insurance backstop, development of updated incident response guidance, and the modernization of federal defenses in accordance with zero trust principles which acknowledge that threats can originate from both inside and outside network boundaries.
History is filled with monumental and painful lessons. The terror attacks of September 11, 2001 changed American consciousness forever. The COVID pandemic taught the entire world about how supply chain fragility impacts individuals, business, and governments. WannaCry – a fast-spreading computer ransomware attack – caused significant disruption to hundreds of thousands of computers in over 150 countries.
This pillar of the National Cybersecurity Strategy declares that the American people should have confidence in the resilience of critical infrastructure. A malicious, large-scale attack on vulnerable infrastructure could do more than stop business. It could literally destabilize the lives of millions. This new strategy document recognizes that building defenses against cyberattacks is no longer just a nice-to-have – that it may well be the difference between life and death.
The National Cybersecurity Strategy also suggests a more proactive approach to deal with threat actors. with the intent to disrupt and dismantle their organizations. Crime syndicates who utilize cyber techniques – such as ransomware gangs – are now considered a threat to national security.
Since these are no longer considered simply criminal acts, additional U.S agencies like the NSA can now join the fight against them, as well as outreach to allies and partners for support. To quote the strategy document:
"Collaboration to address advanced threats will only be effective if owners of critical infrastructure have cybersecurity protections in place to make it harder for adversaries to disrupt them.”
The National Cybersecurity Strategy applies to U.S. organizations in the public and private sectors. Broadly, it seeks to increase collaboration and shift cybersecurity responsibilities onto software developers and tech providers.
This strategy entails protection for every person and organization in the United States, and likely has cross-industry impact for businesses both large and small.
While much of the national cyber strategy document is a restatement of previous information and goals, there are also areas where the strategy breaks the mold. One of the areas in which it introduces fresh ideas is in response to ongoing changes in the threat landscape.
For years, software companies have operated under shrink-wrap licenses which force the installer to accept non-negotiable terms and conditions before they can install commercial computer software. This has allowed the authors of software to hide behind a veil of legal protection from a customer’s reasonable use of their products, even if the author is at fault for releasing a product that is insecure or has known flaws.
Silos and skill gaps are holding back your compliance initiatives. Learn how to make it all sing in our free eBook.
The latest strategy breaks new ground by indicating that the administration will work with Congress to prevent companies from claiming immunity from liability claims, while also acknowledging that no software is completely secure. Responsibility will no longer fall entirely on the end user or small business, communities that often lack the skills and resources needed to ensure good security hygiene related to application functionality. This will incentivize software providers to ensure that their processes and applications incorporate good security, and that adequate precautions are being taken.
As defined by the National Cybersecurity Strategy, critical infrastructure includes IT and infrastructure used by energy pipelines, food companies, schools, and hospitals.
In addition, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has previously identified 16 critical infrastructure sectors. CISA asserts that failure to protect critical infrastructure in these 16 sectors would have a debilitating effect on security, national economic security, and national public safety.
Many industries in these sectors are expected to be subject to the initiatives laid out in the National Cybersecurity Strategy:
Organizations that manufacture, store, use, and transport potentially dangerous chemicals.
Sites that draw large crowds, including hotels, parks shopping malls, casinos, entertainment venues, and more.
The sector that provides enabling communications functions to all other critical infrastructure sectors.
Industries that provide manufacturing to other industries of national significance.
Includes critical water retention and control services in the US, supporting multiple critical infrastructure sectors and industries.
Defense Industrial Bases
Organizations engaged in research and development of military weapons systems, subsystems, and components or parts.
Organizations that help save lives, protect property and the environment, and assist in recovery efforts.
Industries providing electricity, oil, and natural gas resources and assets.
Financial institutions including global companies and community banks.
Food and Agriculture
Privately owned farms, restaurants, and food manufacturing, processing, and storage facilities.
Federal, state, local and tribunal government buildings and spaces.
Healthcare and Public Health
Industries that protect all sectors of the economy from health hazards like terrorism, outbreaks, and natural disasters.
Industries that identify and protect against cyber threats and vulnerabilities.
Nuclear Reactors, Materials, and Waste
Civilian nuclear infrastructure, including power reactors to medical isotopes.
The system that moves people and goods, including aviation, highways, mass transit, freight, postal, and maritime transportation.
Water and Wastewater
Systems that provide access to clean, healthy water.
Adopting established compliance frameworks and adhering to security standards are both best practices to align with the National Cybersecurity Strategy.
As the strategy is ingested into new or revised laws and regulations, existing frameworks and standards will also be updated to reflect new recommendations. Organizations who have eluded regulatory oversight so far should anticipate that minimum cybersecurity requirements will be expanded and would be well-served by anticipating and preparing for that now.
There is no enforcement of the 2023 National Cybersecurity Strategy, per se. As of this writing, it represents a wish list of things that the administration feels are necessary for the security of the nation. It’s an executive roadmap that prepares for the creation of laws and regulations over the coming years, and it can take months or even years to translate into something enforceable within the private and public sector.
But that doesn’t mean the strategy can be ignored, especially for those organizations identified as critical infrastructure. The White House indicates that elements of the strategy are already underway based on existing directives, coordinated by the Office of the National Cyber Director. To actually execute the national cyber strategy, the U.S. Federal government will require collaboration from organizations and international allies and partners. That likely includes organizations in your industry.
Puppet’s automation and compliance solutions help organizations with critical infrastructure align with compliance frameworks and security standards.
Having the ability to quickly scan, verify, and adjust configurations to ensure compliance with security standards like CIS Benchmarks and DoD Compliance – and to prevent drift and stay compliant – achieves many components of system hardening across your infrastructure. Compliance automation also helps IT ops teams prevent ‘firefighting’ that comes with audits.
See the value of compliance automation for yourself. Request a free trial of Puppet Enterprise or schedule a demo of Puppet Enterprise, Puppet Comply, and Compliance Enforcement Modules for your infrastructure now.
TRY PUPPET FREELIVE DEMO
Senior Director of Product Marketing, Puppet by Perforce
Robin Tatam (CISM CPFA CTSP CTMA PCI-P) is a Product Marketer at Puppet by Perforce, where he promotes the benefits of managing compliance using Puppet. Prior to his role with Puppet, Robin worked as a Security Evangelist, and was a globally recognized SME and five-time IBM Champion. Robin also loves travel and cultural exploration, is an accomplished photographer, and considers himself an amateur mixologist.