The latest draft of President Donald Trump’s long-awaited executive order on cybersecurity requires a plan for transitioning all Federal agencies to shared services for email, cloud computing, and cybersecurity, and directs senior officials to study the feasibility of transitioning agencies to one or more consolidated network architectures.
The order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” obtained by MeriTalk, is a significant departure from earlier drafts. The latest version focuses heavily on interagency coordination, and makes modernization of legacy systems a central component of the plan to improve cybersecurity across civilian agencies.
“The executive branch has for too long accepted antiquated and difficult to defend IT and information systems,” the order states. “Effective immediately, it is the policy of the United States to build a more modern, more secure, and more resilient Executive Branch IT architecture.”
The order gives the heads of OMB, DHS, Commerce, and the General Services Administration 150 days to develop technical plans and timelines for transitioning all civilian agencies to “one or more consolidated network architectures” and shared IT services.
Reps. Will Hurd, R-Texas, and Gerry Connolly, D-Va., intend to introduce a new version of the Modernizing Government Technology (MGT) Act, which passed the House, but got held up in the Senate for long enough that it didn’t make the end of the 114th Congress. The bill would provide a revolving capital fund for modernizing Federal IT systems.
As in earlier drafts, the latest version of the executive order holds agency heads accountable for managing cyber risk and makes it the policy of the U.S. “to manage cyber risk as an executive branch enterprise.”
Likewise, the order requires agencies to follow “The Framework for Improving Critical Infrastructure Cybersecurity,” developed by the National Institute of Standards and Technology, as the basis for their risk management program. Agencies have 90 days to provide OMB and DHS with a risk management report that describes steps taken to follow the NIST Framework and the risk acceptance choices they’ve made.
One notable change from the previous draft of the order is the requirement for agencies to “explicitly” document any accepted risk stemming from unmitigated vulnerabilities. Because of the sensitive nature of such information, the order allows agencies to classify the report “in full or in part, as appropriate.”
The order continues efforts started under the Obama administration to work more closely with private sector owners and operators of critical infrastructure. The Department of Homeland Security will lead an effort, along with support from the secretary of defense, the attorney general, the director of the FBI, and various sector-specific agencies, to evaluate Federal authorities and capabilities to help critical infrastructure operators improve their cybersecurity posture. Earlier drafts of the order did not include any mention of the FBI or the Justice Department.
Another addition to the order involves developing a cyber deterrence strategy. The departments of state, treasury, defense, commerce, and homeland security, along with the attorney general, the director of national intelligence, and the U.S. trade representative, must develop within 90 days “strategic options for deterring adversaries and better protecting the American people from those who would use networked technology to defeat or undermine this policy.”