Client Alert: A Cybersecurity Roadmap: The National Cybersecurity Strategy Implementation Plan (July 2023)
On July 13, 2023, the White House published the National Strategy Implementation Plan (the Implementation Plan).[1] According to the White House, the Implementation Plan is a “roadmap to realize” the mission of the National Cybersecurity Strategy (the Strategy), which was released in March.[2]
In a March 9, 2023 client alert, we outlined the Strategy’s objectives and anticipated impact, including the five pillars crucial to developing a more secure digital ecosystem: (1) defense of critical infrastructure; (2) disruption of threat actors; (3) use of market forces to incentivize security and resilience; (4) federal investment; and (5) international partnerships.[3] In addition, the Strategy breaks each pillar into several strategic objectives.[4]
The Implementation Plan is one of the first steps in the White House’s execution of its Strategy, which will ultimately take years to fully implement. The White House noted that the Implementation Plan is a “living document” and that we can expect annual iterations of the Plan.[5]
I. Implementation
Portions of the Strategy are already in progress. On June 20, 2023, the Department of Justice announced a new National Security Cyber Section in the National Security Division.[6] On June 27, 2023, the Office of Management and Budget (OMB) issued a memorandum that outlines cybersecurity investment priorities for the federal government’s fiscal year 2025 budget and guidelines for agencies’ budget submissions.[7]
The Implementation Plan assigns each of the Strategy’s initiatives to a federal agency and provides ambitious deadlines for the completion of each. Several of the implementation plans will impact the private sector, including:
-
- By early 2024, the Office of the National Cyber Director must host stakeholders for a legal symposium to explore different approaches to developing the software liability framework laid out in the Strategy—which will involve holding liable software companies that do not follow best cybersecurity practices.[8] The legal symposium will involve discussions with software stakeholders in the private sector to develop a well-informed approach to the liability regime.[9]
- By the end of 2024, the Cybersecurity and Infrastructure Security Agency (CISA) will offer resources to “high-risk targets” of ransomware, including critical infrastructure organizations, to increase their protections against ransomware attacks.[10] Those resources may include “training, cybersecurity services, technical assessments, pre-attack planning, and incident response.”[11]
- By early 2025, the National Security Council, in coordination with the Office of the National Cyber Director and Sector Risk Management Agencies, must establish cybersecurity requirements across critical infrastructure sectors.[12] The sixteen critical infrastructure sectors include industries such as communications, critical manufacturing, energy, financial services, food and agriculture, healthcare, information technology, and transportation systems.[13]
- As we previewed in March, CISA is responsible for issuing a final critical infrastructure cyber incident reporting rule.[14] When the final rule is implemented, it will require covered entities to report covered cyber incidents to CISA within 72 hours of the incident, and ransomware payments within 24 hours of making the payment.[15] According to the Implementation Plan, by fall of 2025 companies will have clarity about (1) whether they are a covered entity and (2) what types of cyber incidents must be reported to CISA.[16]
II. Opportunities for Clients
Like the Strategy, the Implementation Plan calls for input from the private sector.[17] In particular, the Implementation Plan asks agencies to partner with the private sector to implement the plan.[18] The White House welcomed feedback from the private sector, promising to refine the Implementation Plan in response to private sector assessments of each initiative’s effectiveness.[19]
Private sector entities should look for opportunities to assess the effectiveness of implementation efforts and provide the White House with feedback where appropriate. Jenner & Block stands ready to assist clients in making that assessment and in preparing for the implementation of the National Cybersecurity Strategy.
I. Implementation
Portions of the Strategy are already in progress. On June 20, 2023, the Department of Justice announced a new National Security Cyber Section in the National Security Division.[6] On June 27, 2023, the Office of Management and Budget (OMB) issued a memorandum that outlines cybersecurity investment priorities for the federal government’s fiscal year 2025 budget and guidelines for agencies’ budget submissions.[7]
The Implementation Plan assigns each of the Strategy’s initiatives to a federal agency and provides ambitious deadlines for the completion of each. Several of the implementation plans will impact the private sector, including:
-
- By early 2024, the Office of the National Cyber Director must host stakeholders for a legal symposium to explore different approaches to developing the software liability framework laid out in the Strategy—which will involve holding liable software companies that do not follow best cybersecurity practices.[8] The legal symposium will involve discussions with software stakeholders in the private sector to develop a well-informed approach to the liability regime.[9]
- By the end of 2024, the Cybersecurity and Infrastructure Security Agency (CISA) will offer resources to “high-risk targets” of ransomware, including critical infrastructure organizations, to increase their protections against ransomware attacks.[10] Those resources may include “training, cybersecurity services, technical assessments, pre-attack planning, and incident response.”[11]
- By early 2025, the National Security Council, in coordination with the Office of the National Cyber Director and Sector Risk Management Agencies, must establish cybersecurity requirements across critical infrastructure sectors.[12] The sixteen critical infrastructure sectors include industries such as communications, critical manufacturing, energy, financial services, food and agriculture, healthcare, information technology, and transportation systems.[13]
- As we previewed in March, CISA is responsible for issuing a final critical infrastructure cyber incident reporting rule.[14] When the final rule is implemented, it will require covered entities to report covered cyber incidents to CISA within 72 hours of the incident, and ransomware payments within 24 hours of making the payment.[15] According to the Implementation Plan, by fall of 2025 companies will have clarity about (1) whether they are a covered entity and (2) what types of cyber incidents must be reported to CISA.[16]
II. Opportunities for Clients
Like the Strategy, the Implementation Plan calls for input from the private sector.[17] In particular, the Implementation Plan asks agencies to partner with the private sector to implement the plan.[18] The White House welcomed feedback from the private sector, promising to refine the Implementation Plan in response to private sector assessments of each initiative’s effectiveness.[19]
Private sector entities should look for opportunities to assess the effectiveness of implementation efforts and provide the White House with feedback where appropriate. Jenner & Block stands ready to assist clients in making that assessment and in preparing for the implementation of the National Cybersecurity Strategy.
[1] National Cybersecurity Strategy Implementation Plan (July 13, 2023), National-Cybersecurity-Strategy-Implementation-Plan-WH.gov_.pdf (whitehouse.gov) (Implementation Plan).
[2] Fact Sheet (July 13, 2023), FACT SHEET: Biden-Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan | The White House.
[3] National Cybersecurity Strategy (March 1, 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf (Strategy).
[4] Strategy.
[5] Implementation Plan.
[7] https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-18-Administration-Cybersecurity-Priorities-for-the-FY-2025-Budget-s.pdf.
[8] Strategy at 20; https://www.jenner.com/en/news-insights/publications/client-alert-biden-harris-administration-cybersecurity-strategy.
[9] Implementation Plan at 30.
[10] Implementation Plan at 27.
[11] Implementation Plan at 27.
[12] Implementation Plan at 13.
[16] Implementation Plan at 18.
[17] Implementation Plan at 4.
[18] Implementation Plan at 4.
[19] Implementation Plan at 4.
Footnotes
[1] National Cybersecurity Strategy Implementation Plan (July 13, 2023), National-Cybersecurity-Strategy-Implementation-Plan-WH.gov_.pdf (whitehouse.gov) (Implementation Plan).
[2] Fact Sheet (July 13, 2023), FACT SHEET: Biden-Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan | The White House.
[3] National Cybersecurity Strategy (March 1, 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf (Strategy).
[4] Strategy.
[5] Implementation Plan.
[7] https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-18-Administration-Cybersecurity-Priorities-for-the-FY-2025-Budget-s.pdf.
[8] Strategy at 20; https://www.jenner.com/en/news-insights/publications/client-alert-biden-harris-administration-cybersecurity-strategy.
[9] Implementation Plan at 30.
[10] Implementation Plan at 27.
[11] Implementation Plan at 27.
[12] Implementation Plan at 13.
[16] Implementation Plan at 18.
[17] Implementation Plan at 4.
[18] Implementation Plan at 4.
[19] Implementation Plan at 4.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
On July 13, 2023, the White House published the National Strategy Implementation Plan (the Implementation Plan).[1] According to the White House, the Implementation Plan is a “roadmap to realize” the mission of the National Cybersecurity Strategy (the Strategy), which was released in March.[2]
In a March 9, 2023 client alert, we outlined the Strategy’s objectives and anticipated impact, including the five pillars crucial to developing a more secure digital ecosystem: (1) defense of critical infrastructure; (2) disruption of threat actors; (3) use of market forces to incentivize security and resilience; (4) federal investment; and (5) international partnerships.[3] In addition, the Strategy breaks each pillar into several strategic objectives.[4]
The Implementation Plan is one of the first steps in the White House’s execution of its Strategy, which will ultimately take years to fully implement. The White House noted that the Implementation Plan is a “living document” and that we can expect annual iterations of the Plan.[5]
I. Implementation
Portions of the Strategy are already in progress. On June 20, 2023, the Department of Justice announced a new National Security Cyber Section in the National Security Division.[6] On June 27, 2023, the Office of Management and Budget (OMB) issued a memorandum that outlines cybersecurity investment priorities for the federal government’s fiscal year 2025 budget and guidelines for agencies’ budget submissions.[7]
The Implementation Plan assigns each of the Strategy’s initiatives to a federal agency and provides ambitious deadlines for the completion of each. Several of the implementation plans will impact the private sector, including:
-
- By early 2024, the Office of the National Cyber Director must host stakeholders for a legal symposium to explore different approaches to developing the software liability framework laid out in the Strategy—which will involve holding liable software companies that do not follow best cybersecurity practices.[8] The legal symposium will involve discussions with software stakeholders in the private sector to develop a well-informed approach to the liability regime.[9]
- By the end of 2024, the Cybersecurity and Infrastructure Security Agency (CISA) will offer resources to “high-risk targets” of ransomware, including critical infrastructure organizations, to increase their protections against ransomware attacks.[10] Those resources may include “training, cybersecurity services, technical assessments, pre-attack planning, and incident response.”[11]
- By early 2025, the National Security Council, in coordination with the Office of the National Cyber Director and Sector Risk Management Agencies, must establish cybersecurity requirements across critical infrastructure sectors.[12] The sixteen critical infrastructure sectors include industries such as communications, critical manufacturing, energy, financial services, food and agriculture, healthcare, information technology, and transportation systems.[13]
- As we previewed in March, CISA is responsible for issuing a final critical infrastructure cyber incident reporting rule.[14] When the final rule is implemented, it will require covered entities to report covered cyber incidents to CISA within 72 hours of the incident, and ransomware payments within 24 hours of making the payment.[15] According to the Implementation Plan, by fall of 2025 companies will have clarity about (1) whether they are a covered entity and (2) what types of cyber incidents must be reported to CISA.[16]
II. Opportunities for Clients
Like the Strategy, the Implementation Plan calls for input from the private sector.[17] In particular, the Implementation Plan asks agencies to partner with the private sector to implement the plan.[18] The White House welcomed feedback from the private sector, promising to refine the Implementation Plan in response to private sector assessments of each initiative’s effectiveness.[19]
Private sector entities should look for opportunities to assess the effectiveness of implementation efforts and provide the White House with feedback where appropriate. Jenner & Block stands ready to assist clients in making that assessment and in preparing for the implementation of the National Cybersecurity Strategy.
I. Implementation
Portions of the Strategy are already in progress. On June 20, 2023, the Department of Justice announced a new National Security Cyber Section in the National Security Division.[6] On June 27, 2023, the Office of Management and Budget (OMB) issued a memorandum that outlines cybersecurity investment priorities for the federal government’s fiscal year 2025 budget and guidelines for agencies’ budget submissions.[7]
The Implementation Plan assigns each of the Strategy’s initiatives to a federal agency and provides ambitious deadlines for the completion of each. Several of the implementation plans will impact the private sector, including:
-
- By early 2024, the Office of the National Cyber Director must host stakeholders for a legal symposium to explore different approaches to developing the software liability framework laid out in the Strategy—which will involve holding liable software companies that do not follow best cybersecurity practices.[8] The legal symposium will involve discussions with software stakeholders in the private sector to develop a well-informed approach to the liability regime.[9]
- By the end of 2024, the Cybersecurity and Infrastructure Security Agency (CISA) will offer resources to “high-risk targets” of ransomware, including critical infrastructure organizations, to increase their protections against ransomware attacks.[10] Those resources may include “training, cybersecurity services, technical assessments, pre-attack planning, and incident response.”[11]
- By early 2025, the National Security Council, in coordination with the Office of the National Cyber Director and Sector Risk Management Agencies, must establish cybersecurity requirements across critical infrastructure sectors.[12] The sixteen critical infrastructure sectors include industries such as communications, critical manufacturing, energy, financial services, food and agriculture, healthcare, information technology, and transportation systems.[13]
- As we previewed in March, CISA is responsible for issuing a final critical infrastructure cyber incident reporting rule.[14] When the final rule is implemented, it will require covered entities to report covered cyber incidents to CISA within 72 hours of the incident, and ransomware payments within 24 hours of making the payment.[15] According to the Implementation Plan, by fall of 2025 companies will have clarity about (1) whether they are a covered entity and (2) what types of cyber incidents must be reported to CISA.[16]
II. Opportunities for Clients
Like the Strategy, the Implementation Plan calls for input from the private sector.[17] In particular, the Implementation Plan asks agencies to partner with the private sector to implement the plan.[18] The White House welcomed feedback from the private sector, promising to refine the Implementation Plan in response to private sector assessments of each initiative’s effectiveness.[19]
Private sector entities should look for opportunities to assess the effectiveness of implementation efforts and provide the White House with feedback where appropriate. Jenner & Block stands ready to assist clients in making that assessment and in preparing for the implementation of the National Cybersecurity Strategy.
[1] National Cybersecurity Strategy Implementation Plan (July 13, 2023), National-Cybersecurity-Strategy-Implementation-Plan-WH.gov_.pdf (whitehouse.gov) (Implementation Plan).
[2] Fact Sheet (July 13, 2023), FACT SHEET: Biden-Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan | The White House.
[3] National Cybersecurity Strategy (March 1, 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf (Strategy).
[4] Strategy.
[5] Implementation Plan.
[7] https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-18-Administration-Cybersecurity-Priorities-for-the-FY-2025-Budget-s.pdf.
[8] Strategy at 20; https://www.jenner.com/en/news-insights/publications/client-alert-biden-harris-administration-cybersecurity-strategy.
[9] Implementation Plan at 30.
[10] Implementation Plan at 27.
[11] Implementation Plan at 27.
[12] Implementation Plan at 13.
[16] Implementation Plan at 18.
[17] Implementation Plan at 4.
[18] Implementation Plan at 4.
[19] Implementation Plan at 4.
Footnotes
[1] National Cybersecurity Strategy Implementation Plan (July 13, 2023), National-Cybersecurity-Strategy-Implementation-Plan-WH.gov_.pdf (whitehouse.gov) (Implementation Plan).
[2] Fact Sheet (July 13, 2023), FACT SHEET: Biden-Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan | The White House.
[3] National Cybersecurity Strategy (March 1, 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf (Strategy).
[4] Strategy.
[5] Implementation Plan.
[7] https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-18-Administration-Cybersecurity-Priorities-for-the-FY-2025-Budget-s.pdf.
[8] Strategy at 20; https://www.jenner.com/en/news-insights/publications/client-alert-biden-harris-administration-cybersecurity-strategy.
[9] Implementation Plan at 30.
[10] Implementation Plan at 27.
[11] Implementation Plan at 27.
[12] Implementation Plan at 13.
[16] Implementation Plan at 18.
[17] Implementation Plan at 4.
[18] Implementation Plan at 4.
[19] Implementation Plan at 4.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026