Yesterday, President Trump signed an executive order requiring a comprehensive review of the federal government’s cybersecurity risk management policies and procedures (the “Order”). The Order also calls for a review of the adequacy of the federal cybersecurity support provided to operators of critical infrastructure, and an assessment of whether current education policies are sufficient to develop a robust cybersecurity workforce.
The Order primarily requires the federal government to review its policies and provide recommendations for improvements. With one exception (discussed below), the Order does not impose massive cybersecurity requirements on agencies. Highlights of the Order include:
- Adoption of NIST Framework to Manage Cybersecurity Risk. The Order requires federal agencies to adopt the National Institute of Standards and Technology’s (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”) to manage their cybersecurity risk. Within 90 days of the Order, each agency must submit a risk management report to the Director of the Office of Management and Budget, and Secretary of Homeland Security that documents its current risk mitigation efforts and that describes the agency’s action plan for implementing the Framework.
- Assessment of Federal Cybersecurity Support for Critical Infrastructure. Under the Order, the federal government must review and recommend improvements to the cybersecurity support provided to operators of critical infrastructure, such as hospitals and power plants, including an evaluation of the federal resources that can be made available to such operators. The Order also requires the creation of a multi-stakeholder panel with the goal of reducing botnet attacks, and requires an assessment of the capabilities of the United States to respond to a cyberattack that results in a prolonged power outage.
- Adequacy of Federal Efforts to Protect Against Cyberattacks. The Order requires an assessment of the federal government’s efforts to protect the United States, its businesses, and its citizens from cyberattacks, including its international cybersecurity cooperation efforts. The Order also requires the federal government to recommend strategic options for protecting against cyberattacks.
- Sufficiency of Cybersecurity Workforce Development. The Secretary of Commerce and Secretary of Homeland Security must assess the sufficiency of current efforts to educate and train a cybersecurity workforce, and must provide recommendations to improve cybersecurity education. Simultaneously, the Director of National Intelligence will conduct a review of the workforce development policies of foreign peers to assess how such policies will impact the United States’ cybersecurity competitiveness.
While the Order requires the federal government to provide a comprehensive review of a number of key cybersecurity policies, it remains to be seen how agencies and departments will respond. However, the Order is a significant first step towards addressing the nation’s cybersecurity vulnerabilities. We will provide further analysis as the federal government conducts the review mandated by the Order.