President’s Cybersecurity Executive Order

Dave McClure, Chief Strategist, Coalfire Federal

On May 11, 2017, President Trump released the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.   This E.O. -- while stand alone in focus --should be seen in the context of a greater move in the Executive Branch to elevate the awareness and preparation for better cybersecurity across government.  This is evidenced by the complimentary cyber actions in the Presidential Executive Orders creating the Office of American Innovation and the American Technology Council calling for IT modernization and customer service excellence as well as the The Office of Management and Budget (OMB) Director’s Memo 17-22 outlining reform calling for a smaller, more accountable and more efficient federal government.  The issuance of these directives does not in-of-itself “solve” the government’s modernization, cyber, and performance problems; rather, collectively they denote a priority in the new administration for cyber and a recognition of the need for a coordinated approach across government and with the commercial sector.

Inherent in the Cyber EO is a requirement for agency heads to establish a risk based program using the latest NIST Risk Management Framework for cybersecurity and provide to OMB a risk-based management assessment within 90 days.  OMB will work with Department of Homeland Security (DHS) to evaluate these plans and provide a consolidated report to the President.

Additional reports to the President are required, involving numerous federal organizations such as OMB, Office of American Innovation, American Technology Council, Director for National Intelligence, FBI, Justice, Department of Homeland Security, Department of Defense, Department of Commerce, State Department, Treasury, Education, Labor and General Services Administration.

  • Overall government risk management report from OMB (60 days)

  • Agency risk management reports (90 days)

  • IT modernization report from the American Technology Council (90 days)

  • Report on cybersecurity risks facing DIB (90 days)

  • Cyber deterrence report (90 days)

  • Report on cyber workforce (120 days)

  • National Security system and implementation report (150 days)

What Does the Cyber EO Mean for Government and Commercial Clients?

  1. The message is clear:  The White House expects federal leadership to take cybersecurity seriously and standardize its implementation approach as agencies’ construct their technology modernization and digital transformation agendas.  As noted, this keystone Cybersecurity Executive Order helps solidify cyber policy matters reiterated in other presidential orders establishing the Office of American Innovation, the American Technology Council, and OMB Director’s government reorganization/reform memo.

  2. Shared services for IT and consolidated network architectures are an expectation of all agencies.  This Executive Order plus the OMB Government Reform/Reorganization guidance memo (M-17-22) (PDF) from the Director is expected to streamline shared services adoption.  This road, however, has been traveled several times with only mediocre successes.

  3. Competency over rote compliance is being stressed, with mission based risks fully understood and owned by agency leadership.  Common risk management assessments underlie both the views into current security postures and expected actions to bolster resilience.

  4. Executive agency leadership is expected to move to a model of full ownership and accountability for the security related to its mission delivery. This mirrors trends in the private sector where CEOs and Boards of Directors are directly engaged in security strategies and demanding ongoing security posture reporting, risk-based prioritization, spending tradeoffs and performance results.

  5. A joint business/government approach is being created for delivering effective cybersecurity for the nation.  The marker is set for critical infrastructure protection and resilient supply chains in important sectors such as power, oil and gas, water, public health and safety, national security, and economic security.  Formal, transparent, and timely data sharing and security technology innovation are expected to be expedited between the public and private sectors.

Dave McClure


Dave McClure — Chief Strategist, Coalfire Federal

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS