US National Cybersecurity Strategy

The US National Cybersecurity Strategy establishes the federal government's overarching policy framework for defending digital infrastructure, deterring adversaries, and shaping international norms in cyberspace. Issued by the White House and operationalized through a network of federal departments and independent agencies, it sets binding priorities for how the United States allocates cybersecurity responsibilities across government, the private sector, and international partners. The strategy directly affects procurement, regulation, and investment decisions across every sector that owns or operates networked systems.

Definition and scope

The National Cybersecurity Strategy is a presidentially directed policy document that defines objectives, assigns roles, and establishes accountability mechanisms for federal cybersecurity activities. The 2023 edition, released by the Biden administration in March 2023 (White House National Cybersecurity Strategy, 2023), organized federal priorities around five pillars: defending critical infrastructure, disrupting threat actors, shaping market forces to improve security, investing in a resilient future, and forging international partnerships.

Scope under the strategy extends beyond federal civilian networks. It explicitly addresses critical infrastructure protection across 16 sectors designated by the Department of Homeland Security (DHS), including energy, water, healthcare, and financial services. The strategy also covers the defense industrial base, state and local government networks receiving federal funding, and private entities operating systems deemed essential to national security.

A companion document, the National Cybersecurity Strategy Implementation Plan (NCSIP), published in July 2023 (White House NCSIP), assigned more than 65 specific initiatives to named federal agencies with defined timelines, translating high-level pillars into measurable programmatic actions.

How it works

The strategy operates through a multi-layered governance structure rather than a single statutory authority. Execution flows from the White House Office of the National Cyber Director (ONCD), established under the National Defense Authorization Act of 2021 (Public Law 116-283), which coordinates strategy implementation across agencies.

The principal federal actors include:

1. Cybersecurity and Infrastructure Security Agency (CISA) — primary civilian authority for critical infrastructure defense, incident coordination, and cybersecurity information sharing across sectors.
2. National Security Agency (NSA) — responsible for signals intelligence, cryptographic standards, and securing national security systems.
3. Federal Bureau of Investigation (FBI) — leads cyber threat investigation and disruption operations targeting criminal and nation-state actors.
4. Department of Defense (DOD) — executes offensive and defensive cyber operations through US Cyber Command (USCYBERCOM) and administers DOD cybersecurity requirements for contractors.
5. National Institute of Standards and Technology (NIST) — develops and maintains voluntary frameworks including the NIST Cybersecurity Framework used by both federal agencies and private industry.

Regulatory levers include sector-specific rules enforced by agencies such as the Federal Energy Regulatory Commission (FERC) for energy, the Securities and Exchange Commission (SEC) for public companies, and the Department of Health and Human Services (HHS) for healthcare entities. The strategy explicitly calls for expanding these regulatory baselines where they are absent or insufficient, citing market failure as a driver of underinvestment in baseline security controls.

Common scenarios

The strategy governs how the federal government responds to and prepares for four primary operational scenarios:

Ransomware attacks on critical infrastructure — Incidents such as the 2021 Colonial Pipeline attack demonstrated the gap between private operator defenses and national-level consequences. The strategy directs CISA and FBI to coordinate federal response while pushing minimum security requirements onto operators. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) operationalizes mandatory reporting to close visibility gaps.

Nation-state intrusions — Persistent campaigns attributed to actors linked to China, Russia, Iran, and North Korea (Cybersecurity and Infrastructure Security Agency threat advisories) require both defensive hardening and diplomatic deterrence. The strategy authorizes pre-positioned defensive measures and authorizes USCYBERCOM to conduct defend-forward operations outside US networks.

Supply chain compromises — The SolarWinds intrusion, attributed to Russian SVR-linked actors, illustrated how software supply chains can serve as force-multipliers for adversaries. The strategy mandates software bill of materials (SBOM) requirements and elevated standards for software purchased by federal agencies. For a detailed treatment, see supply chain cybersecurity risks.

Workforce and capacity gaps — The strategy addresses the estimated shortage of cybersecurity professionals in the US labor market through workforce development programs administered by CISA, NSF, and the Department of Labor. Details on the workforce sector are covered in cybersecurity workforce national.

Decision boundaries

The strategy distinguishes between voluntary frameworks and mandatory requirements — a distinction with significant compliance implications. Voluntary frameworks, such as the NIST Cybersecurity Framework, apply to entities not subject to sector-specific federal regulation. Mandatory baseline requirements apply to federal civilian agencies under FISMA and to contractors subject to Cybersecurity Maturity Model Certification (CMMC).

A critical boundary lies between critical infrastructure sectors and general commercial entities. Operators of systems designated under Presidential Policy Directive 21 (PPD-21) face heightened scrutiny and are the primary target of new regulatory mandates proposed under the strategy. General commercial entities outside those 16 sectors are addressed primarily through FTC enforcement authority under Section 5 of the FTC Act and state-level laws catalogued in state cybersecurity laws overview.

The strategy also delineates between domestic and international jurisdiction. Activities outside US borders fall under executive authority via Title 10 (DOD) and Title 50 (intelligence community) authorities, not domestic regulatory law. This boundary determines which agency leads, which legal frameworks apply, and what disclosure obligations attach to any resulting federal action.

References

• White House National Cybersecurity Strategy (2023)
• White House National Cybersecurity Strategy Implementation Plan (2023)
• Office of the National Cyber Director (ONCD)
• Cybersecurity and Infrastructure Security Agency (CISA)
• NIST Cybersecurity Framework
• Public Law 116-283 — National Defense Authorization Act for FY2021
• Presidential Policy Directive 21 (PPD-21) — Critical Infrastructure Security and Resilience
• CISA Cybersecurity Advisories