On May 11, 2017 – after weeks of anticipation – the White House released an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. There could not be better timing with a global cyberattack unleashing ransomware against governments and companies in nearly 100 countries around the globe. This newly released Executive Order is a virtually complete re-cast of the draft Executive Order, with everything but the General Provisions in new format, structure and language. The core concepts that were included in the prior draft, however, appear to be consistent in the final EO (with the promised tweaks).
The EO is intended to modernize, improve and maintain the infrastructure of federal agency information technology and coordinate the efforts of these agencies, and thereby provide for increased risk management. The heads of federal agencies will
be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.
These measures must be taken in accordance with the NIST cybersecurity standards (or any successor thereto). Risk management reports detailing measures taken to date and action plans for implement the NIST cybersecurity standards must be provided to the Office of Management and Budget and the Secretary of Homeland Security within 90 days of the EO (or, at light speed for government). Within 60 days of these reports, the Director of OMB and his designated posse must report to the President on whether the agency reports are appropriate and sufficient, together with a plan to implement through policies and additional measures that may be needed (aligned with the NIST cybersecurity standards), as well as budgetary needs.
The EO also covers cybersecurity of critical infrastructure, building upon Executive Order 13636, ordered by President Obama in 2013. Headed by the Secretary of Homeland Security, a designated group of agencies will collaborate to tag measures that could be taken by federal agencies to support the cybersecurity of critical infrastructure in collaboration with identified critical infrastructure entities. This group must provide a report to the President within 180 days of the EO. Additionally, an “open and transparent” process will be used to foster collaboration among agencies and other stakeholders to reduce botnet threats. A cast of agencies is designated to lead this effort, work with the stakeholders, and provide a report which would be publicly available in preliminary format within 240 days after the EO and final within one year of the EO. (The term “appropriate stakeholders” is defined as “any non-executive branch person or entity that elects to participate in an open and transparent process” as established by the Secretaries of Homeland Security and Commerce.)
The third and final topic covered by the EO addresses cybersecurity for the nation, to address “strategic options for deterring adversaries and better protecting the American people from cyber threats,” a means to address international cybersecurity priorities, and workforce development in the cybersecurity field. Assigned groups of agencies will submit reports to the President on these matters in 90 days, 90 days and 120 days, respectively.
We will look forward to more on the reports under the EO, as they inform the direction ahead.