On May 11, 2017, President Trump signed a long-awaited executive order on cybersecurity (the “Order”). The Order directs executive agencies to complete a risk management report based on the NIST Cybersecurity Framework (the “Framework”) and also requires the Department of Homeland Security (DHS) and other agencies to undertake activities in support of effective cybersecurity risk management for operators of critical infrastructure. More generally, the Order directs several agencies to submit reports to the President on a varied set of cybersecurity-related topics. These measures demonstrate a continued concern for cybersecurity strength and resilience in both the public and private sectors.
Executive Agencies
The Order directs executive agencies to use the Framework to manage their cybersecurity risk, and holds the heads of agencies accountable for implementing appropriate risk management measures. Along those lines, agencies must submit a “risk management report” to DHS and the Office of Management and Budget (OMB) containing a discussion of risk mitigation choices, accepted risks, and implementation of the Framework. DHS and OMB, in turn, will submit a report to the President on whether the choices reflected in the reports are sufficient to manage the aggregate cybersecurity risk to the executive branch, along with a plan aimed at protecting against this aggregate risk. The Order also requires specified agencies to submit a report to the President regarding, among other things, modernization of federal IT and the potential effects of consolidating federal IT infrastructure.
Critical Infrastructure
The Order largely focuses on assessment and reporting of various cybersecurity issues related to critical infrastructure. For example, it requires DHS to identify capabilities that agencies could use to support the cybersecurity efforts of critical infrastructure entities at greatest risk of attack, and to solicit input from such entities to evaluate these capabilities. DHS is also required to submit initial and annually updated reports to the President on this subject.
Interestingly, the Order also specifically requires the Department of Commerce (DOC) and DHS to lead a “process” to encourage appropriate stakeholders to reduce the threat of botnets and similar forms of attack. DOC and DHS will make publicly available a preliminary report on this effort and submit a final version of the report to the President at a later date. The Order also requires the submission of a report on the risks posed by a prolonged power outage caused by a cyberattack.
Cybersecurity for the Nation
Finally, the Order contains some provisions related to cybersecurity engagement and education. For example, several executive agencies are required to jointly submit a report on strategic options for deterring cyber adversaries and protecting the American people from cyber threats. Similarly, several executive agencies are required to submit individual reports to the President on their “international cybersecurity priorities,” including, for example, international cooperation. Based on these reports, the Department of State is required to submit a report documenting an engagement strategy for international cooperation in cybersecurity.
In addition, several agencies are required to assess the scope and sufficiency of cybersecurity education and to provide a report to the president on their findings and recommendations for supporting growth in the cybersecurity workforce. Also required are reports on foreign cybersecurity practices and the scope and sufficiency of US efforts to maintain its advantage in cyber capabilities related to national security.