On May 11, President Trump issued Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which centers on federal networks, critical infrastructure, and the nation’s overall cybersecurity. The order largely expands on cybersecurity recommendations developed during the Obama administration. The order calls for a review of vulnerabilities and preparedness by the Secretary of Homeland Security and the Director of the White House Office of Management and Budget (OMB), who are directed to “jointly assess each agency’s risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch.” Key provisions include:
- Federal agency heads will now be held accountable for cybersecurity in their agencies. They are required to review their computer security measures and submit a risk management report to the Secretary of Homeland Security and the Director of OMB within 90 days.
- The head of the Department of Homeland Security is responsible for oversight of the cybersecurity measures of companies that DHS has determined are “at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” and must report on the adequacy of the security protocols of such businesses to the President within 6 months.
- Federal agencies are instructed to implement the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The NIST Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia, and government agencies.
Many analysts are calling the executive order a good first step but note there is considerable work still to be done, including details of how expanded cybersecurity infrastructure will be funded and how the new regime will be implemented.
The recent, destabilizing “Wanna Cry” ransomware attacks made all too apparent how important it is to have a strong cybersecurity regime in place. As predicted, the government is looking to the NIST Cybersecurity Framework as a guide for managing cybersecurity risks for government agencies and critical infrastructure businesses. Whether or not your business is part of a critical infrastructure industry, the Framework can be a useful tool in understanding and managing security risks.