The White House recently released two executive orders focusing on the government’s use of information technology and the need to assess cybersecurity threats to the country’s critical infrastructure. These executive orders highlight the importance of a more comprehensive and unified federal approach to cybersecurity issues, but aggressive timelines may create certain challenges, as noted below.
The American Technology Council
The first executive order, signed on April 28, 2017, establishes the American Technology Council (the "Council"), which will operate under the White House's Office of American Innovation. The Council is comprised of the president, vice president, the secretaries of Defense, Commerce and Homeland Security, as well as the Director of the Office of Management and Budget ("OMB"), National Intelligence, Office of Science and Technology Policy, and other government officials with technology-related portfolios.
The Council is tasked with coordinating the development of the vision and policy of the use of information technology by the federal government. It is also responsible for coordinating advice on information technology policy delivered to the president. This new role will take on additional importance in the near future in light of the government’s review of cybersecurity threats discussed below. Specifically, Section 7(d) directs the Director of National Intelligence to share classified information with the Council on “cybersecurity threats, vulnerabilities, and mitigation procedures.”
While the Council's authority to review the federal government's use of information technology is quite broad, it will not be permitted to review issues that relate to national security systems, or override the authority of government agencies and the OMB to develop agency-specific policies.
The Cyber Executive Order
The second executive order, signed on May 11, 2017, (the “Cyber EO”) requires a comprehensive review of the federal government's information technology resources, with the express goal of implementing cybersecurity risk management measures to protect federal networks and data. Every agency within the executive branch will be required to participate. Some agencies are required to produce multiple reports over the next nine to 12 months.
First, each executive branch agency is required to conduct an assessment of its cybersecurity risks based on the Framework for Improving Critical Infrastructure Security (the “Framework") developed by the National Institute of Standards and Technology (NIST) in 2014. The Framework is currently being updated by NIST, with comments on the proposed changes having been submitted last month ("Version 1.1").1 Because the Cyber EO requires that these reports be prepared by August 9, 2017, it is unclear whether Version 1.1 will be ready for agencies to use, or whether the 2014 Framework will be used.
The Secretary for Homeland Security and the Director of the OMB will review the risk assessments, which will be submitted in August 2017, and prepare a report by October 8, 2017, proposing a plan to address each agency’s (i) cybersecurity risks; (ii) unmet budgetary needs; and (iii) proposals to align the agency's policies, standards and guidelines with the Framework.
As the executive branch agencies conduct their risk assessments, the newly created American Technology Council, described above, is tasked with preparing a report by August 9, 2017, on the legal, policy and budgetary considerations associated with transitioning all executive branch agencies to shared IT services (including email, cloud and cybersecurity services). To complete this report, all executive branch agencies are directed to coordinate with and supply the Council with their current IT architectures.
Cybersecurity of Critical Infrastructure:
In addition to the risk assessments, the Cyber EO directs the preparation of reports assessing the cybersecurity of critical infrastructure entities. These reports are due as follows:
|Market Transparency of Cybersecurity Risk||August 9, 2017|
|Electricity Disruption Incident Response Capabilities||August 9, 2017|
|Department of Defense Warfighting Capabilities and Industrial Base||August 9, 2017|
|Critical Infrastructure at Greatest Risk||November 7, 2017|
|Resilience Against Botnets and Automated Distributed Threats||January 6, 2018|
Cybersecurity of Nation:
The Cyber EO further addresses cybersecurity priorities to protect U.S. citizens on the internet and the development of a workforce skilled in cybersecurity. Additional reports are to be prepared and delivered to the president as follows:
|International Cybersecurity Priorities of Secretary of State, Defense, Commerce and Homeland Security||June 25, 2017|
|International Workforce Cybersecurity Education and Training||July 10, 2017|
|Deterring Adversaries and Protecting Americans from Cyber Threats||August 9, 2017|
|Domestic Workforce Cybersecurity Education and Training||September 8, 2017|
|International Cooperation and Engagement Strategy||September 23, 2017|
|Maintaining Advantage in National Security-Related Cyber Capabilities||October 8, 2017|
These reports will require coordination and cooperation among federal agencies and cabinet-level departments within the executive branch. Not surprisingly, the Secretary of Homeland Security will be leading many of the efforts, along with the Secretary of Defense, the Director of the Federal Bureau of Investigation and the U.S. Attorney General.
* * * *
The Cyber EO will require substantial coordination among the various executive branch agencies, White House staff and international partners. At least seven reports covering different subjects are required to be submitted by August 9, 2017, with an additional five reports due by January 2018.
These aggressive timelines may be difficult to meet because the NIST Framework is currently being revised and may not be ready for use by the executive branch agencies in the preparation of risk assessments due by August 9, 2017. As a result, it is unclear how useful the risk assessments will be in light of the outdated state of the 2014 Framework, and the substantial changes proposed in Version 1.1.