The federal government is visibly and meaningfully committing to expanding the use of mandatory minimum cybersecurity requirements across critical sectors with its National Cybersecurity Strategy. This is a refreshing acknowledgement of the federal government’s role and a complete abandonment of the original 2003 strategy, which stated federal regulation would not be a primary means of securing cyberspace.

It might have taken 20 years, but the federal government is now saying the quiet part out loud: The lack of mandatory cybersecurity minimums has failed. Regulatory mandates are coming, so get your house in order.

The strategy also makes it clear that where the government does not have authority to mandate minimum standards, the administration will work with Congress to close those gaps and regulate the unregulated.

The strategy dictates federal agencies like the Department of Defense (DOD), Securities and Exchange Commission (SEC), Federal Communications Commission (FCC), and others will use the full weight of their regulatory powers to establish and enforce mandatory cybersecurity minimums across their respective contractors and suppliers. If this comes to fruition, we will experience a sea change in our ability to detect and defend against cyberthreats. Regulatory establishment and enforcement of mandatory cybersecurity minimums is the single most impactful thing the federal government can do for our nation’s cyber defense and this strategy does it.

It’s no secret that the federal government and its vast contractor supply chain has been unable to prevent and combat nation-state attacks with its current strategies. The SolarWinds hack, linked to a Russian intelligence agency, was one of the most sophisticated hacks in history with information from some of our highest-level security organizations stolen. This breach and the decades of data breaches preceding it appear to have compelled the Biden administration to embrace the federal government’s responsibilities as a regulator. It’s a welcome acknowledgement both of the need for mandatory cybersecurity minimums and the federal government’s role in establishing them.

Recent breaches have impacted Americans in more tangible ways including the ransomware attack on Dole Food Company that shut down production for an entire continent, a throwback to the JBS Foods attack that also affected consumers at the grocery store. This trend of actually seeing the impact of cyberattacks in our physical world is only going to increase over time.

Cybersecurity is complex, but the lack of regulation has made it harder, not easier, to succeed. Not establishing and enforcing mandatory minimum requirements has normalized the steady flow of breach headlines we’ve become used to. This new strategy takes an important step toward decreasing that frequency.

The federal government has thankfully recalculated the cost of inaction, which had been deemed acceptable as organizations often ignored regulations in the few places that they existed. Last June, the National Defense Industrial Association (NDIA) wrote to lawmakers, protesting that cybersecurity is just too expensive … a clear sign that compliance to a legally established minimum level of cybersecurity, which has been required for defense contractors since at least 2017, was not a priority.

To realize the full benefits of this strategy, enforcement must follow the establishment of regulation. Enforced regulatory mandates would ensure that companies are held accountable for their cybersecurity measures and that they are constantly updating their protocols to stay ahead of new threats. This shift makes us proactive in our approach to security rather than reactive, which we know doesn’t work.

Absence of regulation and lack of enforcement for the few requirements that do exist has yielded immeasurable theft of intellectual property and untold damage to national security. With the establishment and enforcement of mandatory cybersecurity minimums on the horizon, America is set to start winning in cyberspace.

Eric Noonan is CEO of CyberSheath.