With coincidental timing amid a global cyber-security attack by the WannaCry virus, President Donald J. Trump has issued an Executive Order on “Strengthening the Cyber-security of Federal Networks and Critical Infrastructure.”
“The President will hold heads of executive departments and agencies (agency heads) accountable for managing cyber-security risk to their enterprises,” the order says. “In addition, because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the U.S. to manage cyber-security risk as an executive branch enterprise.”
“Cyber-security risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents,” it adds. “The executive branch has for too long accepted antiquated and difficult–to-defend IT.”
Effective risk management, it says, involves more than just protecting IT and data currently in place. “It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity” adding that “known but unmitigated vulnerabilities are among the highest cyber-security risks faced by executive departments and agencies.”
Known vulnerabilities include using operating systems or hardware beyond the vendor's support lifecycle, declining to implement a vendor's security patch, or failing to execute security-specific configuration guidance.
Effective risk management, the Executive Order says, requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources. Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.
“They will also be held accountable by the President for ensuring that cyber-security risk management processes are aligned with strategic, operational, and budgetary planning processes,” it adds.
Effective immediately, each agency head was instructed to use the Framework for Improving Critical Infrastructure Cyber-Security developed by the National Institute of Standards and Technology, or any successor document, to manage their agency's cyber-security risk.
Each agency head is ordered to provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget within 90 days of the order.
The risk management report will document the risk mitigation and acceptance choices made by each agency head as of the date of this order, including: the strategic, operational, and budgetary considerations that informed those choices; and any accepted risk, including from unmitigated vulnerabilities; and describe the agency's action plan to implement the Framework.
The Secretary of Homeland Security and the Director of OMB will jointly assess each agency's risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cyber-security risk to the executive branch.
Among other efforts, separate plans will address how to adequately protect the executive branch and supporting the cyber-security risk management efforts of the owners and operators of the nation's critical infrastructure.
The Secretary of Commerce and the Secretary of Homeland Security are instructed to lead “an open and transparent process” to identify and promote action, by appropriate stakeholders, to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks.
Those efforts will be in consultation with the Secretary of Defense, the Attorney General, the Director of the Federal Bureau of Investigation, and the heads of sector-specific agencies, the Chairs of the Federal Communications Commission and Federal Trade Commission.
Within 240 days of the order, the Secretary of Commerce and the Secretary of Homeland Security are instructed to release a preliminary report on this effort. Within 1 year, a final version of the report will be delivered to the President.
The Secretary of Energy and the Secretary of Homeland Security, in consultation with the Director of National Intelligence, and state, local, and tribal governments, shall jointly assess: the potential scope and duration of a prolonged power outage associated with a significant cyber-incident; the readiness of the U.S. to manage the consequences of such an incident; and any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident.
The assessment shall be provided to the President within 90 days of the date of the order. It may be classified in full or in part, as appropriate.
The Secretary of Defense, the Secretary of Homeland Security, and the Director of the Federal Bureau of Investigation will provide a report on cyber-security risks facing the defense industrial base, including its supply chain, and military platforms, systems, networks, and capabilities. The report will include recommendations for mitigating these risks and may be classified as appropriate.
Another report will address international cyber-security priorities and threat information sharing. A multi-agency report focused on domestic matters will assess “the scope and sufficiency of efforts to educate and train the American cyber-security workforce of the future, including cyber-security related education curricula, training, and apprenticeship programs, from primary through higher education.”