President Donald Trump issued an executive order on Thursday calling for enhanced cybersecurity at the national level and more support for a skilled cybersecurity workforce.
“The executive branch operates its information technology (IT) on behalf of the American people,” Trump wrote in the order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. “The president will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.”
Furthermore, “because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.”
Effective immediately, all federal agencies will be required to use the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity to manage cyber risk. Agency heads must submit a risk management report to the Office of Management and Budget within 90 days of the order that outlines their risk mitigation efforts; the strategic, operational and budgetary factors that dictated those efforts; any accepted risks, including unmitigated risks; and their action plan for implementing the NIST framework.
In January, the NIST proposed updates to the guidelines in the voluntary framework. The proposed updates were filed with the Federal Register on Jan. 25, and was accepting comments on the updates until April 10. A final Version 1.1 isn’t expected until fall, according to NIST, when all public comments have been reviewed, as well as responses from public workshops on May 16 and May 17.
Agency reports will be reviewed by the Secretary of Homeland Security and the director of OMB for their ability to mitigate risk to the executive branch as a whole. Within 60 days of that review, they are required to submit to the president their determination of each agency’s efforts, and if necessary, a plan to address inadequacies and align policies with the NIST framework.
The Financial Services Roundtable issued a statement praising the order.
“Cyber threats are one of the biggest threats to the American economy and today’s executive order shows the administration is serious about protecting the nation’s data and critical infrastructure,” said Chris Feeney, president of BITS, FSR’s Cyber and Technology division.
The Information Technology and Innovation Foundation expressed disappointment that the order didn’t provide more guidance for the private sector.
“We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats,” Daniel Castro, ITIF vice president, said in a statement.
“The last administration put together a commission which left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order,” he continued. “While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.”