On September 19, 2024, the U.S. Cyberspace Solarium Commission 2.0 (“CSC 2.0”) published its 2024 Annual Report on Implementation (the “2024 Implementation Report”), which assesses the U.S. government’s progress in enacting the original Cyberspace Solarium Commission’s (the “CSC”) 82 bipartisan recommendations and outlines the top ten recommendations for the next administration and Congress to improve cyber resilience. Companies and other interested entities should pay close attention to these priority recommendations because they might foreshadow areas of focus for future cybersecurity regulations and developments in the coming years.
Although cybersecurity is a bipartisan issue, some of the most significant progress in this area has been achieved through executive action rather than congressional initiatives. It is unclear what impact a change in administration would have on the implementation of the CSC’s original recommendations. The 2024 Implementation Report’s recommendations for the next administration and Congress include measures such as creating a liability framework for final goods assemblers, identifying benefits and burdens for critical infrastructure owners designated as systemically important entities, and developing cybersecurity insurance certifications.
Given the history of the CSC’s recommendations evolving into significant executive, legislative, and regulatory actions that have shaped the cybersecurity landscape over the past several years, the 2024 Implementation Report and the CSC’s roadmap of recommendations provide a noteworthy preview of potential future cyber regulations and legislative developments in the U.S. Indeed, many of the most significant changes to the federal cybersecurity landscape in the past few years evolved from the CSC’s recommendations. We further summarize the report’s analysis and recommendations below.
The CSC was created by Congress in 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.”[1] To that end, in March 2020, the CSC published a report (“2020 Report”) that put forward 82 recommendations for the federal government to bolster the nation’s resilience against cyber threats.[2] The recommendations called for legislation, regulation, and executive action organized around six overarching pillars:
Since the expiration of the CSC’s mandate in 2021, the successor CSC 2.0 has continued to monitor and evaluate implementation of the CSC’s recommendations through its annual implementation reports.
Progress on Implementing the CSC’s Recommendations
According to the 2024 Implementation Report, the federal government has fully implemented[3] or is nearing implementation[4] of 79% of the CSC’s 82 original recommendations, with an additional 12% on track to be implemented.[5] The 2024 Implementation Report highlights the federal government’s progress in implementing several of the CSC’s recommendations, which correspond with recent high-profile cybersecurity developments, including (among others):
- National Cybersecurity Strategy (Recommendation 1.1) – The CSC recommended that the executive branch issue an updated national cyber strategy, and on March 2, 2023, the Biden administration published its National Cybersecurity Strategy, which articulated a series of objectives and recommended executive and legislative actions that, if implemented, would impose additional responsibilities and requirements related to cybersecurity on technology companies, federal contractors, and critical infrastructure owners and operators. On July 13, 2023, the administration subsequently published the National Cybersecurity Strategy Implementation Plan that identified 65 initiatives for implementing the National Cybersecurity Strategy.
- U.S. Cyber Trust Mark Program (Recommendation 4.1) – The CSC recommended that Congress establish and fund a national cybersecurity certification and labeling authority to manage voluntary security certifications and labeling for Internet of Things (“IoT”) devices. In March 2024, the Federal Communications Commission (“FCC”) approved the creation of a U.S. Cyber Trust Mark Program, which is a voluntary labeling program for consumer IoT devices based on NIST standards.
- NIST Cybersecurity Framework 2.0 (Recommendation 4.1.2) – The CSC recommended that the U.S. government expand and support the National Institute of Standards and Technology (“NIST”), including with respect to updating the NIST Cybersecurity Framework (“CSF” or “Framework”). On February 26, 2024, NIST published version 2.0 of its Cybersecurity Framework. Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity. The CSF 2.0 incorporates some significant updates to the Framework, such as a new “Govern” function that emphasizes the governance component of cybersecurity and an increased focus on cybersecurity supply chain risk management.
- SEC Cybersecurity Disclosure Rules (Recommendation 4.4.4) – The CSC recommended that Congress amend the Sarbanes-Oxley Act to include cybersecurity reporting requirements. On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted rules that require U.S. public companies and, in certain instances, foreign private issuers to report their material cybersecurity incidents on Form 8-K and Form 6-K, as applicable, and to provide disclosure in periodic reports about their cybersecurity risk management and governance.
- Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) (Recommendation 5.2.2) – The CSC recommended that Congress authorize the Department of Homeland Security (“DHS”) and the Department of Justice “to establish requirements for critical infrastructure entities to report cyber incidents to the federal government.” In 2022, CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”). While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements. On March 27, 2024, CISA published a notice of proposed rulemaking outlining draft regulations to implement the incident reporting requirements for critical infrastructure entities and seeking public comment. The comment period closed on July 3, 2024.
In contrast, the CSC 2.0 reports that only 7.3% of the 82 original recommendations have achieved limited progress[6] and that only 1.2% have faced significant barriers.[7] Of the recommendations that have achieved limited progress or faced significant barriers, many likely require legislative action by Congress, such as:
- Clarify Liability for Federally Directed Mitigation, Response, and Recovery Efforts (Recommendation 3.3.2) – The CSC recommended that Congress “pass a law specifying that entities taking, or refraining from taking, action at the duly authorized direction of any agency head, or any other federal official authorized by law, should be insulated from legal liability.” The 2024 Implementation Report notes that, “[w]hile the Commission staff drafted legislation in support of this recommendation, no comprehensive policy has been established insulating companies from liability if they take cyber and emergency response actions directed by the federal government or law enforcement.”
- Pass a National Data Security and Privacy Protection Law (Recommendation 4.7) – The CSC recommended that Congress “pass a national data security and privacy protection law establishing and standardizing requirements for the collection, retention, and sharing of user data.” Since the CSC recommendations, Congress has yet to pass a national data security and privacy protection law.
- Pass a National Breach Notification Law (Recommendation 4.7.1) – The CSC recommended that Congress pass a national breach notification law that preempts existing U.S. state data breach notification laws. The 2024 Implementation Report acknowledges that, while “various pieces of legislation require breach notification to consumers under certain circumstances,” no comprehensive national breach notification law has been enacted.
Recommendations for the Next Administration and Congress
The 2024 Implementation Report offers a list of priority recommendations for the next administration, regardless of who wins the U.S. election, and Congress. These recommendations were included in the original 2020 Report and continue to be salient because they have not been fully implemented. Companies and other interested entities should pay close attention to these priority recommendations because they foreshadow possible areas of focus for future cybersecurity regulations and developments in the coming years. In particular, the 2024 Implementation Report highlighted the following recommendations (among others):
- Establish Liability for Final Goods Assemblers (Recommendation 4.2) – In its original 2020 Report, the CSC recommended that Congress “pass a law establishing that final goods assemblers[8] of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.” In line with the National Cybersecurity Strategy, the Office of the National Cyber Director has taken initial steps towards developing a liability framework for software developers, but CSC 2.0 describes this effort as “nascent.” The CSC 2.0 encourages the federal government to hold manufacturers accountable for cybersecurity breaches by implementing liability requirements that define “manufacturers’ responsibilities, conditions for liability, and penalties for non-compliance.”
- Designate Benefits and Burdens for Systemically Important Entities (Recommendation 5.1) – The 2020 Report recommended that Congress codify the concept of systemically important critical infrastructure. Through National Security Memorandum on Critical Infrastructure Security and Resilience (“NSM-22”), the Biden administration directed CISA to work with sector risk management agencies (“SRMAs”) to identify systemically important entities (“SIEs”), which are defined as “organizations that own, operate, or otherwise control critical infrastructure” whose failure could negatively impact national security, economic security, or public health and safety. To clarify expectations for entities that may be identified as SIEs, CSC 2.0 urges the next administration to work with Congress “to detail intelligence and information sharing benefits and the minimum cybersecurity burdens of SIEs.”
- Codify Joint Collaborative Environment for Threat Information Sharing (Recommendation 5.2) – The 2020 Report recommended that Congress should establish and fund a Joint Collaborative Environment (“JCE”) “for the sharing and fusing of threat information, insight, and other relevant data” across agencies and between the public and private sectors. According to the CSC 2.0, the JCE’s “advanced integrative platform would facilitate real-time sharing and analysis of cyber threat intelligence among government agencies, private sector entities, and international partners.” CISA has already made steps towards realizing this recommendation, including requesting $394.1 million from the FY25 budget designated for JCE. The CSC 2.0 recommends that the next administration work with Congress to codify JCE into law and to introduce data privacy and legal protections to encourage private sector participation.
- Develop a Cloud Security Certification (Recommendation 4.5) – The 2020 Report recommended that NIST, DHS, and the Office of Management and Budget work together to develop a cloud security certification. In connection with this certification program, the CSC also encouraged the executive branch to update and simplify the Federal Risk and Authorization Management Program (“FedRAMP”) requirements “to require that all non-national security cloud services procured by the federal government meet the identified standards and possess the cloud security certification.” While the CSC 2.0 notes that the FY23 National Defense Authorization Act authorized FedRAMP “to standardize security assessment of cloud computing products and services for unclassified federal information, the program does not explicitly enforce cybersecurity standards through a security certification[.]” The CSC 2.0 recommends further enforcing cybersecurity standards through a cloud security certification program and designating cloud service providers as critical infrastructure (or as a sub-sector within the information technology sector) with SRMA oversight.
- Develop Cybersecurity Insurance Certifications (Recommendation 4.4) – The 2020 Report recommended the creation of a federally funded research and development center (“FFRDC”) to work with state regulators to develop certifications for cybersecurity insurance products. The FFRDC would “help insurers find ways to offer better coverage that meets the various sector-specific needs.” While NIST has identified the cyber insurance market as a research priority, the cyber insurance market remains volatile with “too few companies [that] have coverage they need at premiums they can afford,” according to the 2024 Implementation Report. In response, the CSC 2.0 encourages the federal government to develop cybersecurity insurance certification frameworks in order to promote cybersecurity insurance.
What to Expect Going Forward
The 2024 Implementation Report shows that the CSC’s recommendations have provided a reliable roadmap for the direction of U.S. cybersecurity policy, regulations, and developments – and that the federal government has taken significant action to realize the CSC’s original recommendations. Bipartisan support has enabled progress on implementing many of the CSC’s original recommendations. The 2024 Implementation Report encourages the next administration and Congress to continue to prioritize cybersecurity through inter-agency programs, appropriations, public-private collaboration, legislation, and regulation. As such, companies and other interested entities should continue to follow closely discussions about the CSC’s recommendations because they may serve as a roadmap for potential cybersecurity regulations, legislation, and other developments.
If you have any questions concerning the material discussed in this client alert, please contact members of our Data Privacy and Cybersecurity practice.
[1] Mission and History, CSC 2.0, https://cybersolarium.org/mission-and-history (last visited Sept. 26, 2024).
[2] U.S. Cyberspace Solarium Comm’n, CSC Final Report (2020), https://www.solarium.gov/report (last visited Sept. 26, 2024).
[3] A recommendation is considered “implemented” when “legislation has been passed, an executive order issued, or other definitive action taken.”
[4] A recommendation is “nearing implementation” or is “partially implemented” when it “is included in legislation or an executive order that has a clear path to approval, or it is partially implemented in law/policy.”
[5] A recommendation is “on track” if it “is being considered for a legislative vehicle, an executive order or other policy is being considered, or there are measurable/reported signs of progress.”
[6] A recommendation is classified as “progress limited/delayed” if it “has not been rejected, but it is not in a legislative vehicle, and there are no known policy actions underway.”
[7] There are “significant barriers to implementation” when recommendations “are not expected to move in the immediate future but are ready to be taken up if future crises spur action.”
[8] The 2020 Report defines “Final Goods Assembler” as “the entity that enters into an end user licence agreement with the user of the product or service and is most responsible for the placement of a product or service into the stream of commerce. Products and services can include not just objects such as smartphones and laptops but also operating systems, applications, and connected industrial control systems. There is one final goods assembler for each product or service, and the definition of final goods assembler should not include resellers who repackage products without modifying them.”