The Biden administration’s cybersecurity executive order (EO) issued in May 2021, brought along an ambitious deadline schedule for reporting requirements, which Federal chief information officers (CIOs) advise agencies to meet – even if their answer is that they’re “not ready yet.”
OPM CIO Guy Cavallo said meeting these reporting requirements is vital for the administration, specifically the Office of Management and Budget (OMB), to get the full picture of where agencies are in their cybersecurity journeys.
“Something very important is that, with any executive order, there are always deadlines and you want to make sure that you meet the deadlines, even if your answer is ‘we’re not ready yet,’” Cavallo said during ATARC’s Federal CIO Virtual Summit on Jan. 25.
“I’ve seen a number of agencies just miss deadlines, which then causes additional angst for everybody in the process, because at the OMB level, they’re not getting the full picture of the Federal government and at the agency level, maybe you didn’t have the right resources with it,” Cavallo added.
In order to hit the reporting deadlines at OPM, Cavallo said he pulled together a senior leadership team and assigned an executive leader to each major area of the EO, because it “not only talks about CIO functions, it talks about procurements and things outside of the CIO jurisdiction.”
Cavallo noted that the EO’s focus area “was very broad,” so he needed to make sure he had people working on each area in order to meet those reporting requirements. Together, he said the senior leadership team developed a consistent agency reporting format for the EO.
Gerald Caron, CIO and assistant inspector general for information technology at the Department of Health and Human Services (HHS) Office of the Inspector General (OIG), noted that the EO, especially its zero trust push, is a journey that agencies will not complete within a year.
“I think the executive order – and I think they know – that it is going to be a journey, it’s not going to be something that is going to be done this year,” Caron said. “It is an architecture, it is a, you know, the long game when you’re approaching it. So, we’re drawing out our own roadmap and we’ll collaborate with our parent agency and help where needed.”
Nevertheless, no matter where agencies are on their EO journeys, Caron encouraged agencies to “reach out and utilize your resources to work with others.”
Cavallo also reminded agencies that “there’s no part of the executive order on cyber that is less important than the rest.”
“My word of advice to anybody is if you haven’t changed the way you’re doing cyber from five years ago, you really need to read this executive order and change,” Cavallo said. “You cannot answer most of the requirements today with what you used to do. You have to change.”