← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 92/100

United States Releases National Cybersecurity Strategy — March 2, 2023

The 2023 U.S. National Cybersecurity Strategy sets a five-pillar agenda that shifts liability for insecure software, strengthens critical infrastructure regulation, accelerates zero trust adoption, and expands joint disruption of threat actors.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
4 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Biden-Harris Administration released the National Cybersecurity Strategy on , articulating five pillars that seek to (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships. The strategy calls for minimum cybersecurity requirements across critical sectors, secure-by-design software, zero trust adoption throughout the federal enterprise, and coordinated action with allies. CISOs and board leaders should align roadmaps with the strategy’s implementation objectives and prepare for upcoming regulatory and funding initiatives.

Pillar 1 — Defend critical infrastructure

The strategy directs sector risk management agencies (SRMAs) to develop and enforce cybersecurity performance goals, harmonise regulations, and support modernisation of legacy systems. The Cybersecurity and Infrastructure Security Agency (CISA) published cross-sector cybersecurity performance goals (CPGs) to guide baseline controls, and agencies are expected to convert voluntary measures into enforceable requirements where appropriate. Priority actions include implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), expanding Transportation Security Administration (TSA) directives, and leveraging grant programmes to uplift state and local defences.

Pillar 2 — Disrupt and dismantle threat actors

The administration commits to integrating diplomatic, military, intelligence, and law enforcement tools to impose costs on malicious actors. Initiatives include sustained counter-ransomware operations, improved information sharing with cloud and infrastructure providers, and coordinated takedowns with international partners. The strategy highlights the Joint Cyber Defense Collaborative (JCDC) as a mechanism to share real-time telemetry, while encouraging public-private operations to seize infrastructure and recover ransomware payments.

Pillar 3 — Shape market forces to drive security and resilience

The strategy proposes shifting liability for insecure software onto vendors and promoting secure development practices through procurement incentives. The administration plans to work with Congress on legislation establishing a higher standard of care for software providers and exploring a safe harbor for organisations that follow secure development frameworks. Federal acquisition rules will prioritise software bills of materials (SBOMs), memory-safe languages, and secure-by-design attestations. The strategy also emphasises expanding cyber insurance coverage tied to robust risk management.

Pillar 4 — Invest in a resilient future

Investments will target research and development in post-quantum cryptography, secure semiconductors, clean energy infrastructure, and cybersecurity workforce pipelines. The strategy aligns with CHIPS and Science Act funding, National Science Foundation cyber training programmes, and the National AI Research Resource. Agencies will modernise legacy IT, deploy zero trust architectures in accordance with OMB Memorandum M-22-09, and improve data sharing for national security missions.

Pillar 5 — Forge international partnerships

The U.S. will deepen cybersecurity cooperation through NATO, the Quad, the International Counter Ransomware Initiative, and regional partnerships. Objectives include promoting responsible state behaviour in cyberspace, aligning on secure-by-design standards, supporting capacity-building in developing nations, and enhancing collective response to incidents.

Implementation roadmap for enterprises

  1. Assess regulatory impact: Map the strategy to pending rulemakings (SEC cyber disclosures, CIRCIA, updated TSA security directives, Federal Trade Commission actions). Establish policy monitoring teams and prepare comment strategies.
  2. Enhance critical infrastructure controls: Align security programmes with CISA CPGs, NIST Cybersecurity Framework 2.0, and sector-specific guidelines (NERC CIP, HIPAA, FFIEC). Document compliance evidence for regulators and insurers.
  3. Adopt secure-by-design practices: Implement NIST Secure Software Development Framework (SSDF), supply-chain risk management, and memory-safe coding initiatives. Produce SBOMs and vulnerability disclosure programmes to meet federal procurement expectations.
  4. Accelerate zero trust: Execute identity governance, network segmentation, encryption, and continuous monitoring initiatives consistent with OMB M-22-09 and CISA Zero Trust Maturity Model. Measure progress against federal baselines even for private-sector organisations.
  5. Strengthen incident response partnerships: Participate in Information Sharing and Analysis Centers (ISACs), JCDC initiatives, and regional cyber exercises. Develop mutual aid agreements and escalation protocols for federal coordination.

Sector-specific guidance

Energy and utilities: Prepare for expanded mandatory reliability standards and supply-chain risk rules (NERC CIP-013). Invest in operational technology (OT) segmentation, anomaly detection, and incident reporting alignment with CIRCIA.
Healthcare: Align with HHS 405(d) practices, implement multifactor authentication, and prepare for potential minimum security requirements tied to Medicare reimbursement.
Financial services: Coordinate with Treasury’s Financial Stability Oversight Council initiatives, operational resilience frameworks, and upcoming SEC cyber disclosure rules. Integrate cyber metrics into capital planning and Model Risk Management.
Technology and software: Evaluate liability exposure, transition to secure-by-design methodologies, and prepare attestations for federal procurement. Expand bug bounty programmes and adopt memory-safe languages.

Measurement and reporting

Establish metrics linked to the five pillars: percentage of critical systems aligned with CISA CPGs, mean time to detect/respond to incidents, secure development lifecycle adherence, SBOM coverage, zero trust maturity scores, joint operations participation, and international collaboration engagements. Present metrics to boards alongside business risk indicators. Include cyber resilience objectives in ESG reporting and sustainability disclosures.

Workforce and talent considerations

The strategy highlights the need for a diverse cyber workforce. Organisations should invest in apprenticeships, reskilling programmes, and partnerships with community colleges. Adopt NICE Framework-aligned role definitions and career pathways. Implement retention incentives, remote work policies, and wellbeing programmes to reduce burnout. Coordinate with federal workforce initiatives to tap grant funding and talent exchanges.

International alignment and supply-chain security

Global enterprises should harmonise compliance with allied strategies such as the EU Cybersecurity Act, UK Cyber Essentials, and Australia’s 2023-2030 cybersecurity strategy. Strengthen supplier assurance through continuous monitoring, third-party risk assessments, and contractual clauses requiring secure development and incident reporting. Leverage collective defence arrangements to share threat intelligence across borders.

Preparing for secure software liability reforms

Legal teams should evaluate potential legislative proposals shifting liability for insecure products. Develop product safety cases documenting secure development, vulnerability management, and customer support processes. Maintain records of coordinated vulnerability disclosure (CVD) activities and patch timelines to demonstrate due diligence. Engage industry associations to influence policy development.

Sources

Zeph Tech helps enterprises translate the National Cybersecurity Strategy into actionable programmes spanning zero trust, secure-by-design development, and regulatory readiness.

Timeline plotting source publication cadence sized by credibility.
4 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • U.S. cybersecurity strategy
  • Critical infrastructure
  • Zero trust
  • Secure software
Back to curated briefings