President Donald Trump issued an executive order on Thursday calling for enhanced cybersecurity at the national level and more support for a skilled cybersecurity workforce.
“The executive branch operates its information technology (IT) on behalf of the American people,” Trump wrote in the order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. “The president will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.”
Furthermore, “because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.”
Effective immediately, all federal agencies will be required to use the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity to manage cyber risk. Agency heads must submit a risk management report to the Office of Management and Budget within 90 days of the order that outlines their risk mitigation efforts; the strategic, operational and budgetary factors that dictated those efforts; any accepted risks, including unmitigated risks; and their action plan for implementing the NIST framework.
In January, the NIST proposed updates to the guidelines in the voluntary framework. The proposed updates were filed with the Federal Register on Jan. 25, and was accepting comments on the updates until April 10. A final Version 1.1 isn’t expected until fall, according to NIST, when all public comments have been reviewed, as well as responses from public workshops on May 16 and May 17.
Agency reports will be reviewed by the Secretary of Homeland Security and the director of OMB for their ability to mitigate risk to the executive branch as a whole. Within 60 days of that review, they are required to submit to the president their determination of each agency’s efforts, and if necessary, a plan to address inadequacies and align policies with the NIST framework.
The Financial Services Roundtable issued a statement praising the order.
“Cyber threats are one of the biggest threats to the American economy and today’s executive order shows the administration is serious about protecting the nation’s data and critical infrastructure,” said Chris Feeney, president of BITS, FSR’s Cyber and Technology division.
The Information Technology and Innovation Foundation expressed disappointment that the order didn’t provide more guidance for the private sector.
“We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats,” Daniel Castro, ITIF vice president, said in a statement.
“The last administration put together a commission which left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order," he continued. "While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.”
The order notes that effective risk management requires firms to plan for maintenance, improvements and modernization of systems rather than protecting current systems without a plan for the future. In doing so, the order directs agencies to “show preference in their procurement for shared IT services,” including email, cloud and cybersecurity services.
ITIF praised the order’s call for modernization, noting that “while there are many reasons to pursue IT modernization, the administration is likely to have the most success getting this done as a cybersecurity mandate rather than as a push for efficiency.”
The order reiterates the Obama administration’s support for enhanced cybersecurity of critical infrastructure, defined in 2013 as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Thursday’s order requires heads of those critical infrastructure entities and the secretary of Homeland Security to report annually, starting within 180 days of the order, to the president on risk management capabilities and possible improvements at those entities.
The secretaries of Homeland Security and Commerce must also report on current policies regarding transparency of cybersecurity risk management by critical infrastructure entities, with a specific focus on publicly traded entities.
John Cunningham, chief information security officer for Docupace, said, "It's great to see the president establish a uniform standard for assessment of risk across all agencies and develop a clear line of accountability. I look forward to seeing the results of the mandatory agency assessments and the identification of clear roadmaps to improve the overall security posture of the United States government, businesses and people."
The order includes measures to “ensure that the internet remains valuable for future generations” and to support “a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.”
An interagency report on the strategic options for deterring cyberattackers is due within 90 days. Within 45 days, reports are due from the secretaries of State, Treasury, Defense, Commerce and Homeland Security regarding international cybersecurity priorities, including how they’re cooperating with other nations on preventing attacks.
To support a cybersecurity workforce, agency heads must report on the scope of current education and training programs, and make recommendations for how to sustain and grow private and public cybersecurity workers.
The director of national intelligence is tasked with reviewing global peers for workforce development practices that could affect U.S. competitiveness in the cybersecurity space.
All of the reports outlined in the order may or may not be classified, in part or in full.
--- Read Federal Agencies Improving Cyber Defense: Report on ThinkAdvisor.