President’s Cybersecurity Executive Order

May 19, 2017, Dave McClure, Chief Strategist, Coalfire Federal

On May 11, 2017, President Trump released the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.   This E.O. -- while stand alone in focus --should be seen in the context of a greater move in the Executive Branch to elevate the awareness and preparation for better cybersecurity across government.  This is evidenced by the complimentary cyber actions in the Presidential Executive Orders creating the Office of American Innovation and the American Technology Council calling for IT modernization and customer service excellence as well as the The Office of Management and Budget (OMB) Director’s Memo 17-22 outlining reform calling for a smaller, more accountable and more efficient federal government.  The issuance of these directives does not in-of-itself “solve” the government’s modernization, cyber, and performance problems; rather, collectively they denote a priority in the new administration for cyber and a recognition of the need for a coordinated approach across government and with the commercial sector.

Inherent in the Cyber EO is a requirement for agency heads to establish a risk based program using the latest NIST Risk Management Framework for cybersecurity and provide to OMB a risk-based management assessment within 90 days.  OMB will work with Department of Homeland Security (DHS) to evaluate these plans and provide a consolidated report to the President.

Additional reports to the President are required, involving numerous federal organizations such as OMB, Office of American Innovation, American Technology Council, Director for National Intelligence, FBI, Justice, Department of Homeland Security, Department of Defense, Department of Commerce, State Department, Treasury, Education, Labor and General Services Administration.

  • Overall government risk management report from OMB (60 days)
     

  • Agency risk management reports (90 days)
     

  • IT modernization report from the American Technology Council (90 days)
     

  • Report on cybersecurity risks facing DIB (90 days)
     

  • Cyber deterrence report (90 days)
     

  • Report on cyber workforce (120 days)
     

  • National Security system and implementation report (150 days)
     

What Does the Cyber EO Mean for Government and Commercial Clients?

  1. The message is clear:  The White House expects federal leadership to take cybersecurity seriously and standardize its implementation approach as agencies’ construct their technology modernization and digital transformation agendas.  As noted, this keystone Cybersecurity Executive Order helps solidify cyber policy matters reiterated in other presidential orders establishing the Office of American Innovation, the American Technology Council, and OMB Director’s government reorganization/reform memo.
     

  2. Shared services for IT and consolidated network architectures are an expectation of all agencies.  This Executive Order plus the OMB Government Reform/Reorganization guidance memo (M-17-22) (PDF) from the Director is expected to streamline shared services adoption.  This road, however, has been traveled several times with only mediocre successes.
     

  3. Competency over rote compliance is being stressed, with mission based risks fully understood and owned by agency leadership.  Common risk management assessments underlie both the views into current security postures and expected actions to bolster resilience.
     

  4. Executive agency leadership is expected to move to a model of full ownership and accountability for the security related to its mission delivery. This mirrors trends in the private sector where CEOs and Boards of Directors are directly engaged in security strategies and demanding ongoing security posture reporting, risk-based prioritization, spending tradeoffs and performance results.
     

  5. A joint business/government approach is being created for delivering effective cybersecurity for the nation.  The marker is set for critical infrastructure protection and resilient supply chains in important sectors such as power, oil and gas, water, public health and safety, national security, and economic security.  Formal, transparent, and timely data sharing and security technology innovation are expected to be expedited between the public and private sectors.

Dave McClure

Author

Dave McClure — Chief Strategist, Coalfire Federal

Recent Posts

Post Topics

Archives

Tags