The President’s Executive Order (EO), Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, notes “The executive branch has for too long accepted antiquated and difficult-to-defend IT.”
Originally planned for release at the end of January, this EO addresses federal network and infrastructure cybersecurity concerns. Federal agencies are to take certain actions such as reporting on their risk mitigation measures and complying with NIST’s Framework for Improving Critical Infrastructure Cybersecurity. This EO also directs defense agencies, the US attorney general, and the FBI to provide the White House with recommendations on how to improve cybersecurity among critical infrastructure industries.
The Executive Order has three key sections: (1) Cybersecurity of Federal Networks; (2) Cybersecurity of Critical Infrastructure; and (3) Cybersecurity for the Nation. The first section is the President’s mandate for federal agencies to undertake, and report on, the risk management assessments, as part of developing an overall approach to improving cybersecurity within the Executive Branch. It addresses accountability and notes the “President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.” The policy section goes further and states “because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.”
Consistent with this enterprise-approach, this section of the EO seems to suggest that, “effectively immediately,” “[a]gency heads shall show preference in their procurement for shared IT services, ... including email, cloud, and cybersecurity services.” The EO, however, does not explain how this procurement preference will be implemented and recognizes that this preference would be implemented only “to the extent permitted by law.” Nonetheless, this section of the EO confirms that, despite the change in administration, cybersecurity remains a key issue and that the Executive Branch will seek to address cyber threats on an enterprise-wide basis.
The second section of the EO references EO 13636, Improving Critical Infrastructure Security, issued by President Obama in 2013. That EO mandated certain federal agency cybersecurity actions to protect the nation’s critical infrastructure. This EO reinforces concerns about cybersecurity risks existing in the nation’s critical infrastructure (such as the electric grid) and directs agency heads to report within 90 days on risk management measures, including what risks they have chosen to mitigate or accept, and how they will implement the NIST Framework. Then, after reviewing the agency reports, the Secretary of DHS and the Director of OMB will advise the President on federal agency actions to specifically address cybersecurity risk management for private sector owners and operators of the nation’s critical infrastructure.
The third section addresses other evaluation and reporting requirements to consider cybersecurity “for the nation,” directing certain agencies to prepare reports addressing other issues, such as “strategic options for deterring adversaries,” “international cooperation,” and “workforce development” “in order to ensure that the United States maintains a long-term cybersecurity advantage.” It remains to be seen whether those steps will result in any changes in US policy on certain issues.
As noted above, the requirements of this EO, particularly Section 1, immediately impact federal agencies and lay the framework for a comprehensive national cybersecurity policy. Most significantly, the EO adopts NIST’s Framework for Improving Critical Infrastructure Cybersecurity. As NIST explains, this Framework can then be “used to translate among a variety of risk management practices and support federal agencies as they interact with a wide variety of suppliers” and cybersecurity profiles in the Framework “can be incorporated into the acquisition process as the underpinning of: evaluation criteria (agency), solicitation response (supplier), . . . minimum contract requirements (agency), [and] contract compliance.” See Draft NIST Cybersecurity Framework Implementation Guide at 14. For that reason, contractors should pay attention to the actions taken as a result of this EO.