Trump Issues First Executive Order on Cybersecurity: While Goals Are Ambitious, Timelines Are Tight

by Ropes & Gray LLP
Contact

Ropes & Gray LLP

On May 11, 2017, President Donald J. Trump signed an executive order addressing cybersecurity risk management across three key areas: (1) federal government networks, (2) critical infrastructure, and (3) cybersecurity for the nation as a whole (Order). The Order builds upon Presidential Policy Directive 21, issued by the prior administration on February 12, 2013, and orders agency heads and leaders across the executive branch to undertake a period of cybersecurity risk assessment, planning and reporting.

Taken together, the Order and its mandates aim to jump-start cybersecurity risk management activities within the federal government and establish concrete steps toward solving the aging federal information technology infrastructure – an area longcited as needing modernization. But while the Order’s requirements are substantial, the reporting deadlines are relatively short, and many experts in the field query whether impacted agencies – many of which already are facing budget constraints – can undertake meaningful risk assessments and required planning activities on such important topics within these tight timelines.

Embedded within the heap of reporting requirements were several new policy declarations on cybersecurity for the Trump administration:

  • Risk Allocation: Heads of executive departments and agencies shall be directly accountable for managing cybersecurity risks for their organizations;
  • NIST Cybersecurity Framework Alignment: Agencies must follow the NIST Cybersecurity Framework for its cybersecurity risk management, and the executive branch plans to align existing cybersecurity and policy regulations with the Framework; and
  • Shared / Consolidated Services: Agencies must “show preference” for shared IT services (including e-mail, cloud and cybersecurity services), and the executive branch aims to transition all agencies to using shared IT services, where feasible.

In all events, we can expect a flurry of activity across the federal government over the next few months as stakeholders work to meet the requirements of this ambitious Order. Here is a breakdown of those requirements.

Cybersecurity of Federal Networks

The Order establishes that it is “the policy of the United States to manage cybersecurity risk as an executive branch enterprise” and that “the President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.”

In particular, the Order provides that agency heads will be held accountable to:

  • Implement “risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data”; and
  • Ensure “that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes.”

Toward that end, the Order directs all agencies to use the NIST Framework for Improving Critical Infrastructure Cybersecurity (known as the “Cybersecurity Framework”) to manage each agency’s particularly cybersecurity risk. Notably, NIST released a proposed updated version of the Cybersecurity Framework earlier this year, adding a number of proposed improvements including important supplier controls.

90-Day Agency Reports

In addition, within 90 days of the executive order, all federal agencies must submit a cybersecurity “risk management report” to the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), documenting:

“(A) the risk mitigation and acceptance choices made by each agency head as of the date of this order, including:

(1) the strategic, operational, and budgetary considerations that informed those choices; and

(2) any accepted risk, including from unmitigated vulnerabilities; and

(B) describe the agency's action plan to implement the Framework.”

The goal of part (A) is to document a baseline of the agency’s current risk profile with relevant considerations, and the goal of part (B) is to outline the agency’s proposed steps for how to map and align that baseline to the Cybersecurity Framework.

Special rules and timing requirements apply to any National Security Systems.

60-Day Determination and Plan

After receiving the risk management reports from the agency heads, the Order then directs DHS and OMB, along with other stakeholders, to submit a report to the President within 60 days that assesses each agency report and makes a determination as to “whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate (the determination).” That 60-day report must also establish a plan to: 

  • mitigate any identified risks to the executive branch;
  • address immediate unmet budgetary needs;
  • establish a regular process for reassessing these risks and future recurring budgetary needs; 
  • revise all policies, standards, and guidelines issued by any agency necessary to meet the objectives of the Order, consistent with law; and
  • align such policies, standards, and guidelines with the Cybersecurity Framework. 

Preference for Shared Services

The Order establishes a policy “to build and maintain a modern, secure, and more resilient executive branch IT architecture.” Toward that end, the Order directs agency heads to “show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.” This mandate brings the federal government more in line with the private sector trend in this same direction.

The Order also directs the American Technology Council to coordinate a report with relevant stakeholders within 90 days of the Order for how to modernize federal information technology systems. This report must outline the considerations relevant to transitioning federal agencies to consolidated network architecture and shared IT services. The Order directs agency heads to supply “information concerning their current IT architectures and plans as is necessary to complete this report on time.”

Cybersecurity of Critical Infrastructure

The second part of the Order focuses on using the executive branch’s “authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure ... as appropriate.” The term “critical infrastructure” is defined in 42 USC s. 5195c(e) as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

This portion of the Order directs the DHS and relevant stakeholders to identify critical infrastructure at greatest risk of “attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security (section 9 entities)” and, within 180 days, to provide a report to the President with findings and recommendations for how to support the cybersecurity risk management activities of such critical infrastructure. The Order calls for an updated report to the President annually thereafter.

The Order then directs DHS and other relevant stakeholders to: 

  • Within 90 days of the order, produce a report examining the “sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities”
  • Lead an “open and transparent process” to identify ways “to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets)” producing a preliminary report of recommendations within 240 days and a final report due to the President one year from the date of the Order.

As for the energy sector, within 90 days of the Order, the Secretary of Energy, in collaboration with other stakeholders, must assess the “potential scope and duration of a prolonged power outage” that could stem from a significant cyberincident, the nation’s readiness to deal with such an outage, and any “gaps in assets or capabilities” necessary to address such an incident.

And finally, for the defense sector, within 90 days of the Order, the Secretary of Defense working with relevant stakeholders must report to the president on “cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks.”

Cybersecurity of the Nation

The third and final substantive part of the Order focuses on cybersecurity of the nation as a whole and establishes that in order to “ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.”

This portion of the Order focuses on deterrence and protection and international cooperation. In particular, it directs more reports to be prepared and submitted to the President:

  • Within 90 days, the Secretary of State, in collaboration with other stakeholders including trade representatives, must submit a report to the President “on the Nation's strategic options for deterring adversaries and better protecting the American people from cyber threats.”
  • Within 45 days, the Secretaries of State, Treasury, Defense, Commerce, and Homeland Security, in coordination with the Attorney General and the Director of the FBI, “shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation.”
  • Within 90 days, the Secretary of State must, in collaboration with the other Secretaries, provide a report to the President, “documenting an engagement strategy for international cooperation in cybersecurity.”

The Order closes its substantive directives by requiring a series of additional reports designed to identify and assure the development of a workforce to support the nation’s growing cybersecurity needs, and to ensure the United States “maintains a long-term cybersecurity advantage.”

Conclusion

As the Trump administration’s first executive action on cybersecurity, the Order calls for a thorough review of the federal government’s cybersecurity practices, but imposes minimal immediate consequences on the private sector or the marketplace.

At several points across the past three months, previously circulated drafts of the executive order did not allocate direct cybersecurity responsibility to agency heads, nor did it include the Federal Bureau of Investigation in its infrastructure review; both features are now included in the signed Order. By including defense and intelligence agencies in the infrastructure review, the executive order also allocates more responsibility to the military for federal cybersecurity, which had been previously resisted by the Obama administration.

Beyond the Order’s reporting and review requirements, the Order does signal the growing importance of the NIST Cybersecurity Framework on both the public and private sectors. The NIST Cybersecurity Framework was originally published in 2014 as a voluntary set of guidelines for federal agencies. Increasingly, regulators have referenced the NIST Cybersecurity Framework in their industry guidance and enforcement actions in an effort to guide companies toward its adoption. Now entities conducting business with federal agencies, directly or indirectly, should anticipate that government agencies will expect that those with whom those agencies do business will have adopted and be operating under the NIST Cybersecurity Framework or a widely recognized alternative. Moreover, the emphasis the Order places on consolidation of services should lead more service providers to consider the benefits of becoming FEDRAMP-certified.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP
Contact
more
less

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.