White house releases a National Cybersecurity Strategy

white concrete building under blue sky during daytime
The beginning of this month, the White House released a new National Cybersecurity Strategy. This is the first strategy released since 2020. The strategy is built on 5 pillars.


by Ted Giesler, Cypress Consulting Group, and Legislative Committee Member

The beginning of this month, the White House released a new National Cybersecurity Strategy. This is the first strategy released since 2020. The strategy is built on 5 pillars. Those pillars are:

  1. Defend Critical Infrastructure
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals
    For those of us in the MSP community, Pillar 3 is the one that is most likely to affect us.
white concrete building under blue sky during daytime

There are 6 objectives listed in Pillar 3. They are

  1. Hold the Stewards of our Data Accountable
  2. Drive the Development of Secure IOT Devices
  3. Shift Liability for Insecure Software Products and Services
  4. Use Federal Grants and other Incentives to Build in Security
  5. Leverage Federal Procurement to Improve Accountability
  6. Explore a Federal Cyber Insurance Backstop

This first objective is to support legislation to hold accountable entities that collect, use transfer and maintain personal data. For you as an MSP who has clients that keep PII like addresses, phone numbers, and email addresses of their clients, you may be held legally liable if that information is disclosed. This objective recommends that such information should be stored in a manner consistent with the standards and guidelines established by the National Institute of Standards and Technology.

The second objective really doesn’t affect the majority MSPs except if you are in the business of developing electronic hardware that uses network connectivity. If you are in the business of developing your own IOT devices, you should be developing a plan on how to do security updates of your devices, a distribution mechanism to distribute those patches and a notification system for offering those patches to your customers.

The third objective is one of deep interest to the small business community. Currently the liability for a security incident is typically on the end user. The goal of this objective is to move the liability from the end user to the developer of the technology attacked. This is not going to absolve the end user of the technology of all liability. End users will be required to keep up with patching, replacing equipment/software that is beyond its supported lifetime and in general, use best practices in the area of cyber security. But if a developer is found of not following best security practices in the development of their software/hardware, they should be held responsible for any damages. You as an MSP may be held liable if you are not following industry standards for notification of patch availability as well as installing those patches in a reasonable timeframe.

The fourth objective is pointed at all levels of government as well as private entities to help development of a secure cyber environment by funding such development by government grants.
The fifth objective is already in effect. Those small businesses that have contracts directly or indirectly with the Federal Government are already subject to cybersecurity regulation from within those contracts. This objective calls for expansion of the current program. Additionally, this objective pushes the enforcement of these contractual objections through the Department of Justice.

Finally, the sixth objective is to look into developing a federal backstop fund for insurance companies effected by a major cybersecurity event. The strategy suggests a fund similar to the Federal Deposit Insurance Corporation that backstops banks be created. From a small business perspective, development of such an agency could stabilize and possibly lower cyber insurance rates.

Actionable items for an MSP to look at in light of this strategy include:
• Get to know your local legislator(s). This strategy is calling for legislation at the state and local level. Your only way of affecting what is in this legislation is to have a seat at the table when the legislation is being drafted. The only way to get this seat is to known to the people writing the legislation. Get help in learning how to approach your legislator(s) from the NSITSP legislative committee and the NSITSP member resources.
• Review your cyber security policies or have a cybersecurity expert review them for you. Do this for your clients also. Read the frameworks produced by NIST and the CIS controls. See what items fit your environment and budget as well as your client’s environments and budget

But remember, this is a strategy and not law…..yet. But look for more news on the items mentioned in this strategy in the near future.


    Log in to the NSITSP

    Don’t have an account yet? Join now


    Code of Ethics

    Check out the brand new Code of Ethics presented at the Quarterly Member Meeting on Nov 9. It’s still a draft,  feedback welcome.

    Get Involved

    Vendor Partner Program

    Whether you’re ready to join or have some questions, we’d love to connect with you.