President Trump Signs An Executive Order On Cybersecurity

How the Order Affects Federal Cybersecurity

On Thursday, President Trump signed an executive order on cybersecurity.  (The full text of the order can be found here.)  The order had been discussed and anticipated in the cybersecurity community for a long time–dating back to the Obama administration.  It’s been generally well-received in the cybersecurity community.

There are a few key mandates in the document.  It requires that agency heads take ultimate responsibility for cybersecurity, as opposed to passing the buck to their IT department. There is a mandate toward a unified cybersecurity policy across the Executive branch, based on the framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology. 

It also mandates that “Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture” and that “Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.”  What this will mean in practice most likely is large cloud contracts going to major vendors like Google, AWS and Azure.

The document also addresses improving cybersecurity defenses for critical infrastructure (like the power grid) and making the internet in the US more resilient to distributed attacks (like those springing from botnets).  Finally, it mandates development of a plan to ensure sufficient training for a robust cybersecurity workforce in the both the private and government arenas.

Where does this order fall in the context of other recent government cybersecurity orders?

President Trump’s executive order is just the latest in a series of rules recently published regarding cybersecurity in the federal government.  On February 9, 2015, President Obama revealed the Cybersecurity National Action Plan (CNAP).  Two related executive orders on cybersecurity  were also signed at the time.   Among other elements, CNAP established a multi-billion dollar Information Technology Modernization Fund to enhance federal IT systems and created the position of the Federal Chief Information Security Officer.

On September 14, 2016, the National Archives and Record Administration (NARA) issued a final rule that established  effective government – procedure for identifying and protecting Controlled Unclassified Information (CUI). 

On October 21, 2016, the Department of Defense DoD published a final rule on the DFARS clause that requires cybersecurity practices based on NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.  Defense contractors have until Dec. 31, 2017 to become compliant.   It is likely that a final FAR clause that applies to all federal contractors doing business with the government will also be based on the same NIST guidelines.