Executive Order addresses nation’s cybersecurity vulnerabilities
Posted May 16, 2017
In response to recent worldwide cyberattacks such as the WannaCry virus, President Donald Trump issued an Executive Order (EO) to address the nation’s cybersecurity vulnerabilities. According to the White House, the cybersecurity of the federal government, along with the cybersecurity of critical American network infrastructure, are under “constant attack from both foreign and domestic sources.”
Further, every day the White House receives new reports of major U.S. corporations being hacked by foreign-based threats. Under the new EO, it is now U.S. policy to manage cybersecurity risk as a federal enterprise. The EO also emphasizes cybersecurity by:
- Mandating the use of the National Institute of Standards and Technology Cybersecurity Framework across government;
- Directing federal agency heads to begin planning for the deliberate modernization of federal Executive Branch information technology (IT);
- Holding accountable cabinet secretaries and agency directors for managing cyber risk for their areas of responsibility;
- Optimizing the government’s information systems, prioritizing modernity, safety, usability, and economy while addressing security.
Specific actions include:
- Requiring all agencies to use the industry-standard NIST Cybersecurity Framework (Framework) to manage their cybersecurity risks;
- Requiring all agencies to prefer shared IT services in all future procurements, to the maximum extent allowed under the law;
- Requiring all agencies to explicitly document their cybersecurity risk mitigation and acceptance choices, including any decisions to not mitigate known vulnerabilities in a timely manner, and describe their action plan in a report to implement the Framework, in a report to the Department of Homeland Security (DHS) and Office of Management and Budget (OMB);
- Requiring the Secretary of DHS and the Director of OMB to evaluate the totality of these reports to comprehensively assess the adequacy of the government’s overall cybersecurity risk management posture and propose changes in law, policy, and budgeting to protect adequately the executive branch enterprise;
- Requiring the Secretary of Defense and the Director of National Intelligence to undertake comparable efforts for national security systems; and
- Empowering the White House’s American Technology Council to launch a process of planning for the deliberate modernization of Federal IT, including the technical feasibility and cost effectiveness of transitioning agencies to one or more consolidated network architectures and shared services such as email.
Because the private sector is heavily involved in the nation’s infrastructure, the EO also directs the federal government to partner with private industry to protect critical infrastructure.
To create this partnership, the EO calls for:
- Establishing a clear policy that the federal government should bring to bear all of its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the nation’s critical infrastructure.
- Requiring civilian, military, and intelligence agencies to develop an integrated, comprehensive inventory of the specific legal authorities and capabilities that agencies could employ to support the cybersecurity risk management efforts of those critical infrastructure entities at greatest risk of attacks that could result in catastrophic impacts;
- Requiring these agencies to offer voluntary support to these entities, and to work directly with them to solicit their feedback and input on any gaps in the government’s cybersecurity toolkit, including gaps in law, policy, or budgeting;
- Evaluating federal efforts to promote transparency in cybersecurity risk management practices within critical infrastructure to support market-driven risk management decisions;
- Convening the private sector to address complex Internet of Things (IoT) cybersecurity challenges, starting with denial of service attacks perpetrated by IoT devices;
- Strengthening the nation’s ability to respond to and recover from a prolonged power outage caused by a cyber-attack; and
- Mitigating cybersecurity risks to Department of Defense weapons platforms and the defense industrial base, including risks associated with foreign manufacture of sensitive components.
Finally, the EO addresses the issue of deterrence and stresses forging international partnerships to “fight back against cyberattacks across the globe.”
J. J. Keller's FREE Workplace SafetyClicks™ email newsletter brings quick-read workplace safety and compliance news right to your email box.