On Thursday, May 11, President Trump signed an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order is expected to prompt a broad examination of cybersecurity vulnerabilities at federal agencies and re-orient federal cybersecurity efforts toward modernization and shared services. The order also reaffirms the previous administration’s approach to cybersecurity protections for critical infrastructure – with increased emphasis on the power grid – and seeks to promote the growth and sustainment of the nation’s cybersecurity workforce in the public and private sectors.
Significantly, the order formalizes escalation of responsibility after the massive Office of Personnel Management breach by stressing that the President will hold agency heads “accountable for managing cybersecurity risk to their enterprises.” It also declares that the federal government should be held responsible for providing, in the words of the order, more effective “deterrence and protection … and better protecting the American people from cyber threats.”
The order also emphasizes increased coordination within the executive branch and with international partners. It does not, however, formally designate any one senior position as the overall cybersecurity coordinator for the United States. This could undermine the order’s focus on accountability. Lead roles are assigned to the Department of Homeland Security, Office of Management and Budget, and others. While much of the order represents a refinement or restatement of existing practices, the order does call for a report on “market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities.” This could alter public disclosure practices for affected companies.
Finally, companies may also look to the executive order for guidance for their own cybersecurity enterprise risk governance responsibilities. In this regard, the order prescribes the development of a risk management and mitigation determination for the federal government, along with a corresponding implementation plan to address insufficiencies and other relevant objectives.
The Determination and Plan
The executive order calls for the Secretary of Homeland Security and the Director of OMB to jointly assess each agency’s risk management report to determine whether the risk mitigation and acceptance choices set forth in the agency reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate. This is defined as “the determination.”
Then, in light of that determination, the Secretary and Director are tasked with presenting to the President a plan to:
- adequately protect the executive branch enterprise, should the determination identify insufficiencies;
- address immediate unmet budgetary needs necessary to manage risk to the executive branch enterprise;
- establish a regular process for reassessing and, if appropriate, reissuing the determination, and addressing future, recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise;
- clarify, reconcile, and reissue, as necessary and to the extent permitted by law, all policies, standards, and guidelines issued by any agency in furtherance of [the Federal Information Security Management Act], and, as necessary and to the extent permitted by law, issue policies, standards, and guidelines in furtherance of this order; and
- align these policies, standards, and guidelines with the NIST Cybersecurity Framework.
The executive order mandates that the heads of executive agencies use the National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Framework”) to manage each agency’s cybersecurity risk. Further, the Secretary of Homeland Security and Director of OMB are directed to develop a plan to align all current policies, standards, and guidelines for federal agency cybersecurity with the NIST Framework. Many agencies use the NIST Framework, but mandated federal use of the framework is a positive development that should move federal cybersecurity compliance away from a “check-box approach” and toward greater and more systematic focus on risk, resiliency, and continuous improvement.
Shared and Cloud Services
Although the executive order holds the heads of executive departments and agencies accountable for managing the cybersecurity risk of their separate organizations, the order also seeks to promote shared resources and increased coordination between federal agencies on cybersecurity. The order requires the Secretary of Homeland Security and the Director of the Office of Management and Budget (“OMB”) to assess risk management reports submitted by the heads of each agency and develop a plan to protect the executive branch as a single enterprise. Under the order, agency heads are also directed to show preference in their procurement for shared IT and cybersecurity services. The American Technology Council – a new advisory group created by President Trump in a separate order – will submit a report to the President exploring the feasibility of transitioning agencies to consolidated network architectures and shared IT services, including email, cloud, and cybersecurity services. If successful, these efforts should drive increased efficiency, modernization, and cybersecurity of federal information systems.
The executive order may also impact the cybersecurity risk management efforts of owners and operators of critical infrastructure. The order directs the Secretary of Homeland Security, in coordination with the heads of sector-specific agencies (as defined in Presidential Policy Directive 21 of February 12, 2013), to identify ways to combat the risk of attacks against critical infrastructure entities, to promote market transparency of cybersecurity risk management practices at such entities, and to assess the potential impact of attacks on the nation’s electrical infrastructure, industrial base, military platforms, communications ecosystem. The affected critical infrastructure companies are those already designated (and notified) under section 9 of a prior Executive Order 13,636 issued by President Obama.
To the extent that these developments reflect a commitment to flexible, risk-based standards that can accommodate the complexity of systems supporting critical infrastructure, further guidance may be useful in strengthening cybersecurity protections for critical services. Private sector tech vendors, critical infrastructure providers, public companies, defense contractors, and network providers should monitor these developments closely for their potential impact on business practices and risks.
Transparency in the Marketplace
The order directs the Secretary of Homeland Security, in coordination with the Secretary of Commerce, to report on “the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities.” The import of this review is not entirely clear, but could have significant implications for affected entities.
The executive order also reflects a push for international cooperation in cybersecurity, directing the Secretaries of State, Treasury, Defense, Commerce, and Homeland Security to submit reports on their international cybersecurity priorities. These reports will be developed into an engagement strategy for international cooperation, focusing on investigation, attribution, cyber threat information sharing, response, and capacity building.
Overall, the executive order is a promising sign of the new administration’s commitment to cybersecurity. The key element that will determine the effectiveness of the administration in achieving its cybersecurity and IT modernization goals will be whether promised resources are provided as a part of the budget process.