The President signed his long-delayed cybersecurity executive order (EO) today.
Section 1: Cybersecurity of Federal Networks
The first section of the EO is focused on strengthening the cybersecurity of federal networks. It says that the President will hold the heads of executive departments and agencies accountable for managing cybersecurity risk of their enterprises, but it does not include any consequences. The agency heads will also be accountable for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes. This section calls for the following:
- Agency heads are directed to use the National Institute of Standards and Technology (NIST) Framework to manage the agency’s cybersecurity risk, and they will provide a management report to the Department of Homeland Security (DHS) Secretary and Office of Management and Budget (OMB) Director within 90 days (due 8/9/17). The report will document the risk mitigation and acceptance choices made by each agency including the strategic, operational, and budgetary considerations that informed those choices and any accepted risk. The report will also include the agency’s action plan to implement the NIST Framework. The DHS Secretary and OMB Director will then assess each report to determine if the choices are appropriate and sufficient, and within 60 days (latest 10/8/17) of receipt then submit a report to the President (through the Assistant to the President for Homeland Security and Counterterrorism). The report for the President will include the determination and plan to protect the executive branch, budgetary needs, a regular process for reassessing future unmet budgetary needs, and policy, standards and guidelines that are aligned with the NIST Framework. The agency risk reports could be classified in full or in part.
- In order to build and maintain resilient federal IT architecture, agency heads should show preference for shared IT services including email, cloud, and cybersecurity services. The Director of the American Technology Council will issue a report within 90 days (due 8/9/17) with the DHS Secretary, OMB Director, GSA Administrator and Commerce Secretary that will describe the legal, policy, and budgetary considerations for federal agencies to transition to consolidated network architectures and shared IT services.
- For any National Security System, the Secretary of Defense and Director of National Intelligence (DNI) will implement the EO to the “maximum extent feasible and appropriate.” They will provide a report to Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism within 150 days (due 10/8/17).
Section 2: Cybersecurity of Critical Infrastructure (CI)
The second section of the EO focuses on strengthening the cybersecurity of our nation’s critical infrastructure (CI). The President asserts that it is the administration’s policy to support the cybersecurity risk management efforts of the owners and operators of our nation’s CI. This sections calls for the following:
- The DHS Secretary in coordination with the Secretary of Defense, Attorney General, DNI, FBI Director, the heads of appropriate sector-specific agencies, and other appropriate agency heads will identify the authorities and capabilities that federal agencies could employ to support the cybersecurity efforts of CI entities and determine whether and how the authorities and capabilities might be employed. They will provide the President with a report within 180 days (due 11/7/17) that may be classified in full or in part. They will be required to provide an updated report to the President on an annual basis thereafter.
- The DHS Secretary and Secretary of Commerce will provide a report to the President that examines the sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by CI entities (focused on publicly traded CI entities) within 90 days (due 8/9/17).
- The DHS Secretary and Commerce Secretary will identify and promote action by appropriate stakeholders to improve the resilience of the internet and communication ecosystem to ensure resilience against botnets and other automated, distributed threats and will make publicly available a draft report within 240 days (due 1/6/18). And within a year, they will submit a final version of this report to the President.
- The Secretary of Energy and DHS Secretary will assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident, the readiness of the US to deal with an incident, and gaps in assets and capabilities to mitigate consequences of such an incident. The assessment will be provided to the President within 90 days (due 8/9/17).
- The Secretary of Defense, DHS Secretary, and FBI Director will provide a report to the President within 90 days (due 8/9/17) that outlines the cybersecurity risks facing the defense industrial base, including its supply chain, and the U.S. military platforms, systems, networks, and capabilities. The report will also include recommendations for mitigating these risks. The report may be classified in full or in part.
Section 3: Cybersecurity for the Nation
Finally, the third section of the EO focuses on cybersecurity for the nation. The administration wants to promote and open, interoperable, reliable, and secure internet as well as support the growth and sustainment of a cybersecurity workforce. This section calls for the following:
- The Secretary of State, Treasury Secretary, Defense Secretary, AG, Commerce Secretary, DHS Secretary, and U.S. Trade Representative will issue a report to the President within 90 days (due 8/9/17) on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.
- The Secretary of State, Treasury Secretary, Defense Secretary, Commerce Secretary, and DHS Secretary will issue reports to the President within 45 days (due 6/25/17) on their international cybersecurity priorities including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation. Within 90 days of submitting the reports, the Secretary of State shall provide a report to the President documenting an engagement strategy for international cooperation in cybersecurity.
- The Secretary of Commerce and the DHS Secretary will jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce. Within 120 days (due 9/8/17), they will provide a report to the President with their findings and recommendations.
- The DNI will review the workforce development efforts of potential foreign cyber peers in order to develop best practices and within 60 days (due 7/10/17) provide a report to the President on his findings.
- The Secretary of Defense will assess the scope and sufficiency of U.S. efforts to maintain or increase its advantages in national security-related cyber capabilities and issue a report within 150 days (due 10/8/17) to the President with his findings and recommendations.
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure