On February 9, 2016, the Obama Administration released the Cybersecurity National Action Plan (CNAP), marking the high point of a seven-year effort built upon prior lessons learned from cybersecurity trends, threats, and intrusions.   

Many experts applauded its comprehensive approach and initiatives to improve federal cybersecurity practices, investing in research, and promoting public-private collaboration. Yet the CNAP encountered a mixed reception, especially in Congress, where some individuals raised concerns about its feasibility, particularly regarding resource allocation. 

The CNAP includes establishing the “Commission on Enhancing National Cybersecurity” to make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors, modernizing Government information technology (IT) and transforming how the Government manages cybersecurity through the proposal of a $3.1 billion Information Technology Modernization Fund, and taking bold actions to protect Americans in today’s digital world 

That was seven years ago. Has the plan made any advancements in tackling the long-standing systemic challenges in federal cybersecurity seven years later? 

What is the CNAP? 

The CNAP is a comprehensive strategy developed to take near-term actions and put in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety, and empower Americans to take better control of their digital security. FACT SHEET 

It encompasses initiatives to safeguard privacy, ensure public safety, and allow Americans to take greater control over their digital security.   

The plan directs the Federal Government to take new action now. It fosters the conditions required for long-term improvements in our approach to cybersecurity across the Federal Government, the private sector, and our personal lives. 

Five components of the CNAP 

The plan includes five components, each contributing to a broad and robust cyber defense strategy 

1. Policy and legislative frameworks

Frameworks are the foundation of the CNAP. By establishing legal and regulatory boundaries for cybersecurity practices, they define the roles and responsibilities of various stakeholders, including government agencies, private sector entities, and individuals.  

They also set standards for data protection, cybercrime prevention, and response protocols for cyber incidents critical to the security of information systems.  

Since 2016, the CNAP has been updated twice; the revision followed a four-year gap, while the second was only released two years ago. This cadence must be maintained to ensure policy and regulations stay current and effective against ever-evolving cyber adversaries. 

2. Capacity building and skill development programs

Since tech alone cannot safeguard against cyber threats, the CNAP also prioritizes programs that enhance the expertise and preparedness of the cybersecurity talent pool. 

Initiatives include specialized training for government personnel, cybersecurity awareness campaigns for the public, and training programs.  

By promoting cybersecurity careers and increasing the number of cybersecurity advisors available to assist critical infrastructure entities, they aim to create teams capable of responding to and managing complex cyber challenges.  

3. Technological advancements and innovation

The CNAP prioritizes investing in and deploying cutting-edge technologies like encryption, threat detection systems, and cybersecurity analytics.  

Some highlights of the plan: 

• Establishment of the “Commission on Enhancing National Cybersecurity” to make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors. 

• Modernization of Government information technology (IT) and transformation of how the Government manages cybersecurity through the proposal of a $3.1 billion Information Technology Modernization Fund 

• Creation of a National Center for Cybersecurity Resilience, which allows entities to test the security of systems, such as electric grids, in a contained environment. 

4. Strengthening Public-Private Partnerships

Recognizing that the private sector owns and operates much of the nation’s critical infrastructure, the plan advocates for closer collaboration between government and industry. This includes sharing threat intelligence, conducting joint cybersecurity exercises, and developing unified strategies for cyber defense.   

These partnerships are vital for bridging knowledge, resources, and capabilities gaps, allowing for a more cohesive and effective response to cyber threats.  

One of its key features is its emphasis on collaboration between the Government and the private sector through initiatives such as the “Commission on Enhancing National Cybersecurity.” This Commission includes leading strategy, business, and technology experts outside the government sector, including: 

• Thomas E. Donilon – Serving as the Commission Chair, former U.S. National Security Advisor to President Obama, and currently the Vice Chair at O’Melveny & Myers. 

• Samuel J. Palmisano – The Commission Vice Chair, former Chairman, and CEO of IBM Corporation. 

• Keith Alexander – A Commissioner who is the former NSA Director and Chief of Cyber Command, now serving as the CEO and President of IronNet Cybersecurity. 

• Annie Antón – As a Commissioner, Antón is a Professor and Chair of the School of Interactive Computing at the Georgia Institute of Technology. 

The commission’s work laid the foundation for developing and implementing the National Cybersecurity Strategy, released on March 2, 2023, and is poised to place significant responsibility for cybersecurity on federal contractors, technology companies, and critical infrastructure owners and operators. FACT SHEET – National Cybersecurity Strategy. 

5. Updating Government IT Infrastructure

The CNAP emphasizes modernizing the federal government’s IT infrastructure as a crucial step to enhancing the nation’s ability to withstand and respond to cyber-attacks. This includes replacing legacy systems vulnerable to breaches with more secure, modern technologies.  

How well are federal agencies advancing in their modernization initiatives? 

• The DoD is adopting cloud computing, implementing a “zero trust” computing environment, and updating military technology and infrastructure. 

• The Department of Homeland Security is upgrading systems for monitoring and analyzing cybersecurity threats, enhancing border security technologies, and modernizing emergency response capabilities. 

• The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is dedicated to advancing research, development, and deployment of technologies, tools, and techniques to reduce risks to the nation’s critical energy infrastructure posed by cyber and other emerging threats. 

However, several agencies have had varying degrees of success regarding their modernization plans:  

• The Department of Transportation had anticipated the rollout of a modernized system by April 2022, with plans for its launch in the autumn of 2022. However, as of May 2023, the GAO (U.S. Government Accountability Office) has not received a documented modernization plan. The Department of Transportation.   

• The Office of Personnel Management had a partial modernization plan, which needed more complete milestones, necessary work details, and the disposition of the legacy system. A comprehensive modernization plan had yet to be developed for this system. 

Why are some agencies lagging behind others? 

Common challenges and solutions to CNAP 

Let’s look at the perennial challenges of implementing a national cybersecurity strategy. To navigate these challenges, a strategic approach to modernization is essential.  

Challenge 1: Sheer Size and Complexity of Government IT Systems 

The vast and intricate nature of government IT infrastructures, encompassing a diverse array of systems, applications, and networks across geographically distributed agencies, presents a significant hurdle in implementing consistent and effective cybersecurity strategies. 

Solution: 

• Adopt a phased approach to modernization, prioritizing critical systems and infrastructure components. 
• Leverage cloud-based solutions to simplify management and enhance security capabilities. 
• Implement standardized security protocols and configurations across all systems. 

• Utilize automation tools to streamline repetitive tasks and reduce manual intervention. 

Challenge 2: Security of Legacy Systems 

Legacy systems, often designed without modern security principles, can pose significant vulnerabilities within an organization’s IT infrastructure. These systems may be difficult to patch or update, making them high-value cyberattack targets. 

Solution: 

• Conduct a comprehensive inventory of legacy systems to identify and assess their vulnerabilities. 

• Implement appropriate security controls for legacy systems that cannot be modernized. 

• Prioritize the modernization of legacy systems based on their criticality and vulnerability level. 

• Decommission and replace outdated legacy systems with modern, secure systems whenever possible. 

Challenge 3: Keeping Pace with Evolving Compliance Requirements 

The cybersecurity threat landscape constantly evolves, requiring organizations to adapt their strategies and technologies to stay ahead of the latest threats. This requires ongoing monitoring, intelligence gathering, and proactive measures. 

Solution: 

• Establish a dedicated team responsible for monitoring and staying abreast of evolving compliance requirements. 

• Implement a continuous compliance assessment process to promptly identify and address potential non-compliance issues. 

• Utilize automation tools to streamline compliance monitoring and reporting activities. 

• Develop a training program to educate employees on the latest compliance requirements and their impact on their roles. 

Challenge 4: Resource Management 

Resource constraints, including limited personnel and funding, can hinder the implementation and maintenance of effective cybersecurity strategies. 

Solution: 

• Conduct a comprehensive risk assessment to prioritize cybersecurity investments based on risk and potential impact.

• Utilize cloud-based solutions to offload IT infrastructure and security management responsibilities, freeing up resources for strategic initiatives. 

• Invest in training and development programs to enhance the skills and knowledge of existing cybersecurity personnel. 

• Explore outsourcing opportunities for non-core cybersecurity functions to optimize resource allocation. 

Challenge 5: Assessment of Cybersecurity Strategies 

Evaluating the effectiveness of cybersecurity strategies can be challenging, as it often involves intangible factors such as preventing attacks that never occurred. 

Solution: 

• Develop a comprehensive set of metrics and KPIs to track the effectiveness of cybersecurity strategies.

• Utilize data analytics tools to collect, analyze, and interpret cybersecurity data from multiple sources. 

• Conduct regular cybersecurity audits and penetration tests to identify vulnerabilities and assess overall security posture. 

• Establish a feedback loop to incorporate lessons from incidents and exercises into future strategies. 

The future of Cybersecurity National Action Plans in 2023 and beyond 

Jen Easterly’s assertion that “Cybersecurity is not a set-and-forget endeavor” resonates deeply with our philosophy at IPKeys.  

As the cybersecurity landscape evolves at pace, the collaboration between CIO-SP3 Small Business contractors like IPKeys equips federal agencies with crucial support, including access to a wide range of IT services, competitive pricing, and a flexible and responsive approach to IT service delivery.  

IPKeys understands the unique challenges faced by government agencies and has a proven track record of success in providing cutting-edge IT services to DoD and federal agencies. We have helped numerous clients modernize their IT infrastructure, strengthen their cybersecurity posture, and achieve their mission-critical objectives through next-generation cybersecurity solutions such as Cyber-Lab-as-a-Service (CLaaS) – a unified, AI-fueled RMF automation analytics and reporting platform optimized for Federal agencies.   

Talk to us about how we can help you navigate the evolving cybersecurity landscape and achieve your long-term security objective. 

Cybersecurity National Action Plan – Common FAQs 

What are the objectives of national cybersecurity? 

The objectives include defending critical infrastructure, disrupting and dismantling threat actors, developing effective cyber incident response and management strategies, protecting critical national infrastructure, investing in research and development, promoting international cooperation, enforcing legal and regulatory measures, raising public awareness, and encouraging the development of cyber insurance markets and risk management strategies.  

How does the national cybersecurity strategy address emerging cyber threats? 

The national cybersecurity strategy addresses emerging cyber threats through a multi-faceted approach, including defending critical infrastructure, disrupting and dismantling threat actors, and investing in research and development to advance cybersecurity technologies and strategies. 

What role does the CNAP play in promoting international cooperation on cybersecurity? 

The CNAP recognizes that cybersecurity is a global challenge that requires international cooperation. The plan includes several initiatives to promote international cooperation, such as 

• Sharing information about cyber threats and vulnerabilities. 

• Developing joint cybersecurity training and exercises. 

• Strengthening legal and regulatory frameworks for cybersecurity. 

What is NCSIP? 

NCSIP builds on the objectives outlined in the CNAP. Released in 2022 by the Biden Administration, it includes 65 federal initiatives across five pillars aimed at increasing cybersecurity investment, assigning federal agencies to specific initiatives, and giving timelines for completion. The plan is designed to ensure transparency and a continued path for coordination, detailing high-impact federal initiatives, from protecting American jobs by combating cybercrimes to building a skilled cyber workforce equipped to excel in an increasingly digital economy.