President Trump has issued a much-anticipated executive order (EO) on cybersecurity. The order requires all federal executive agencies to adhere to a single security framework and is intended to improve the nation’s defenses against pervasive cyberattacks.
In light of this order, clients may ask more pointed questions about the security policies and procedures that a company follows, especially if those clients have contracts or subcontracts with U.S. federal government agencies. This new directive heightens the need for companies, especially those in “critical infrastructure” sectors, to adopt a formal cybersecurity standard like the one published by the National Institutes of Standards & Technology (NIST). Corporate managers must ensure that cybersecurity is more than a stack of policy papers and is a living and breathing strategy within the organization.
Issued on May 11, the EO is called “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The order requires every federal agency to adopt immediately the “The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology,” often abbreviated as the “NIST CSF.” This standard, developed over the past several years by NIST, contains several dozen specific security rules organized under five general categories of action: Identify, Protect, Detect, Respond and Recover. The Obama administration encouraged private companies to adopt this standard, especially those who formed part of the nation’s infrastructure. The current order goes further and requires federal agencies to adopt the same standard promoted within the private sector.
As a point of emphasis, the order places new duties on individual agency leaders. In particular, the order holds each agency head personally responsible for risk management and requires each agency head to report to OMB within 90 days regarding the agency’s budget and plan to institute the NIST CSF.
The EO notes the danger posed by computers that are old and out-of-date. Consistent with President Trump’s emphasis on infrastructure spending, the order states, “Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.” Therefore, federal agencies must describe their plans to spend the appropriate amount of money on updated technology and consider ways to share technology “in the cloud.”
Finally, the executive order requires several new studies. One due in 180 days will focus on improving risk management within the nation’s critical infrastructure (e.g. financial services, energy, defense). Other reports will address information sharing, botnets and automated attacks, electricity disruption, supply chains within the defense sector, national cybersecurity and workforce training.
Some have already criticized the order as a hollow “plan to plan.” However, we believe the order will likely have several specific impacts:
- By assigning agency heads responsibility for cybersecurity, the topic will take on even more importance in coming weeks and months, especially among government contractors, who will likely face new Federal contract terms affirming that their IT systems meet the new standards.
- By requiring all federal agencies to adopt the NIST CSF, this order could make this framework the default cybersecurity standard for all U.S. businesses, across all sectors.
- With this executive order, cybersecurity will become a more regular topic for legal compliance review during contract negotiations, mergers and acquisitions, and business transactions in general.
Therefore, managers, particularly in businesses in “critical infrastructure” sectors, would be wise to raise the profile of cybersecurity within their organization. At a practical level, they can learn more about the NIST CSF at the NIST’s online reference guide. Managers can suggest or promote the NIST CIF as the organization’s standard, promote understanding at the board level and assemble a crisis team to practice the company’s response to a real-world cyber scenario.