Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
President Trump’s Executive Order on Cybersecurity expands upon earlier legislation, orders numerous reports to assess federal agencies’ current security policies, moves to modernize federal IT systems by transitioning to consolidated network infrastructures and shared IT services, and mandates that federal agencies use the NIST Framework.
On May 11, 2017, President Trump signed the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This new Executive Order (EO), like the 2013 Presidential Policy Directive 21 (PPD21), continues to focus on the cybersecurity of US critical infrastructure and identifying existing support for critical infrastructure sectors, but also adds new federal mandates. The new EO specifically mentions resilience against botnets and automated distributed threats and assessing the consequences of a prolonged power outage associated with a cyber incident.
One policy change marked “effective immediately” falls under the “Risk Management section of the EO. Federal agencies must now use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute for Standards and Technology (NIST). The federal government in the past has encouraged the private sector to make use of the NIST Framework, but its use, even in federal agencies, has been voluntary until now.
A second policy point marked “effective immediately” says “It is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.” A sub point highlights one of the most interesting policy shifts. “Agency heads shall show preference in their procurement for shared IT services…including email, clouds, and cybersecurity services.” Another sub point sets in motion a report, due in August, describing the policy and budgetary considerations for transitioning all agencies to one or more consolidated network architectures and shared IT services. We might interpret these statements to mean that federal networks will change, possibly being combined or consolidated in some way and that cloud-based solutions may play a role in this transition.
The EO, described by some tech leaders as a plan for a plan, assigns a slew of reports to assess the current state of cybersecurity for federal agencies and gauge their risk management plans, policies, and plans for maintenance or development of IT infrastructure. The EO also assigns areas of responsibilities for agency heads that are similar to those outlined in PPD21.
Many of the mandated reports, written by agency heads or written in collaboration with other federal officials, are due for submission on August 9, 2017, 90 days from the date of the signing of the EO.
The purpose of this new EO seems to be to bring into alignment the cybersecurity policies of many disparate federal agencies, encouraging interagency cooperation, and establishing a plan for a plan for securing the federal government from future cyber incidents.
Sources and Additional Federal Legislation Pertaining to Cybersecurity:
National Institute of Standards and Technology (NIST), The NIST Cybersecurity Framework
NIST, The Cybersecurity Framework, Implementation Guidance for Federal Agencies (pdf), May 2017
NIST, Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.1, January 10, 2017
US Government Publishing Office (GPO), 6 U.S.C. 148 – NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER