On May 11th, in the wake of a series of wide-ranging cyber breaches and attacks plaguing public and private sectors alike, President Trump signed a long-awaited Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Last week, OMB followed up with guidance on how the order’s ambitious reporting mandates and sweeping policy declarations will be implemented.
The order represents the Trump Administration’s first significant action to support cybersecurity and protect critical infrastructure, and the initial days after its release generated a flurry of questions on the specifics of the White House’s cyber agenda: How will the order mesh with existing federal cyber requirements? What responsibilities or consequences have been placed on the private sector? Will the order meaningfully advance cyber preparedness?
While only time can tell on the last question, now that the dust has settled, we have a fuller picture on how this latest directive will be unrolled and how it will impact government and industry.
Considerations and Opportunities for Business
The order’s aim is to improve the cyber resiliency of federal agencies and enhance protection of infrastructure like the electric grid—necessary goals in light of the 2015 Office of Personnel Management data breach that affected millions of records and consistent warnings from national security experts on the vulnerabilities of the nation’s electric systems.
The order is organized into three sections with distinct focuses on (1) federal networks, (2) certain critical infrastructure entities, and (3) the nation as a whole. These sections, a fuller summary of which is included below, largely build on the previous Administration’s cybersecurity efforts. Indeed, President Trump’s order references both President Obama’s 2013 cyber executive order and the National Institute of Standards and Technology’s Cybersecurity Framework developed as a result of the 2013 order.
The new cyber order, however, renews efforts in the cyber arena by spurring quick action through a series of aggressive reporting mandates that require agencies to identify risk management activities, develop risk management plans, and assess existing practices. While this emphasis on reporting is not unexpected, the deadlines for mandated reports are noticeably tight, sparking skepticism as the whether the set deadlines are realistic.
In addition to extensive reporting requirements, the order also includes a number of notable policy directives that raise considerations and, perhaps, opportunities for industry:
- First, the order takes a public-private collaborative approach in its mandates, directing agencies to consult with relevant stakeholders. Consequently, industry may see increased engagement as the executive branch undertakes the many analyses commissioned by the order, and private sector stakeholders should be mindful of opportunities to engage with federal policy making bodies and regulators.
- While the bulk of the order targets the federal government and does not extend immediate responsibilities or consequences to much of the private sector, covered critical infrastructure entities may experience increased scrutiny. As federal agencies implement cyber standards, critical infrastructure could see pressure to conform to government cybersecurity objectives. Covered entities will also likely be drawn into the various studies that agencies are tasked with completing within the next few months, and should expect to face ongoing oversight as regulators move forward with annual reports due thereafter.
- Publicly traded critical infrastructure entities should also expect additional conversations about market transparency and disclosures of cybersecurity risk management practices. How the federal government’s objectives in this area ultimately shape up and whether substantive regulations emerge remain to be seen.
- Government contractors and participants in the defense industrial base’s supply chain can also anticipate increased engagement as part of the infrastructure review, as President Trump’s order places greater focus on military cybersecurity than under the Obama Administration.
- Those conducting business with the federal government will likely be affected by the order’s directive to show procurement preference for shared IT services; these service providers might consider the benefits of FedRAMP certification in light of the order’s emphasis on cloud solutions. Additionally, it’s possible that the ever-growing importance of the NIST Framework leads to future expectations that contractors operate under those guidelines.
Executive Order Overview
Section 1: Federal Networks
Highlighting “known but unmitigated vulnerabilities” throughout the executive branch, Section 1 focuses on modernizing and strengthening agencies’ increasingly antiquated information technology systems. To this end, the Order holds agency heads accountable for risk management and compliance with cybersecurity objectives. Notably, the Order also places increased importance on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, turning a voluntary industry guideline into a mandatory model for future cybersecurity measures within executive departments and agencies—a measure that is likely to create greater continuity for cyber risk management throughout the executive branch.
A series of study and report mandates accompany these objectives, requiring agency heads to assess vulnerabilities, establish mitigation strategies, and describe implementation plans for the NIST framework. Of note for those doing business with the federal government, the Order also directs agency heads to “show preference in their procurement for shared IT services ... including email, cloud, and cybersecurity services.”
Section 2: Critical Infrastructure Entities
Section 2 contains the provisions most relevant to the private sector. Specifically, agency heads are tasked with identifying cybersecurity risks of and support strategies for critical infrastructure entities, defined under President Obama’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. These “Section 9 entities” are identified by the Secretary of Homeland Security as those in which “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The Order directs agency heads to engage with Section 9 entities and solicit their input in compiling a report to the President within 180 days, detailing how federal resources may support entities’ cybersecurity risk management efforts. Updated reports are required on an annual basis thereafter.
This Section further requests a report from the Secretaries of Homeland Security and Commerce, evaluating existing policies for promoting “appropriate market transparency” of cyber risk management practices by Section 9 entities, particularly those that are publicly traded. Another report concerning botnets and other automated threats must be completed within one year of the Order, in collaboration with “appropriate stakeholders.”
Section 2 also targets two specific sectors for additional review and reports. The electric subsector should expect increased engagement as agencies carry out their directive to assess consequences of and mitigation strategies for a prolonged power outage associated with a cyber incident. Defense agencies will also prepare a report detailing cybersecurity risks facing the defense industrial base, including its supply chain.
Section 3: The Nation
To implement the executive branch’s policy of “promot[ing] an open, interoperable, reliable, and secure internet,” Section 3 begins by commissioning a report on deterring cyber adversaries and protecting the American public. Broadening its scope, however, the Order also seeks reports on international cybersecurity and strategies for engaging with the international community. Finally, the Order notes the importance of enhancing our cybersecurity workforce and directs several agencies to evaluate the nation’s curricula and training programs accordingly.
- How will “unmet” cybersecurity needs be prioritized, much less funded?
- How quickly can the federal government IT move to actually “modernize” its IT infrastructure?
- Will the new cyber-deterrence strategy called for in the E.O. be crafted in a way to lessen “blame” placed on private sector entities that suffer hacks?