A Summary of the Cybersecurity Executive Order

This afternoon, President Trump signed a long-awaited executive order on cybersecurity, titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” This post will walk through the three substantive sections of the order.

Section 1. Cybersecurity of Federal Networks

Section 1 deals with cybersecurity risk management and IT modernization in the executive branch. It first requires agency heads to be guided by the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The Framework was produced as a result of President Obama’s 2013 executive order on the subject. Created in partnership with private sector, the Framework bills itself as “a set of industry standards and best practices to help organizations manage cybersecurity risks.” It encourages a risk-management model of cybersecurity.

Second, President Trump’s executive order directs agency heads to produce a report within 90 days that documents “risk mitigation and acceptance choices made by each agency head as of the date” of the order, including the strategic considerations guiding their decisionmaking and “any accepted risk, including from unmitigated vulnerability.” The 90-day report, which may be classified, is likewise required to contain an agency-specific plan to implement the NIST Framework. The Directors of Homeland Security and OMB will jointly review the reports, and the Director of OMB will then submit a report to the President laying out the joint assessment as well as a plan to remedy inadequacies or address budgetary constraints.

Finally, Section 1 declares it “the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.” It directs agencies to “show preference in their procurement for shared IT services,” and the Director of the American Technology Council to coordinate a joint report from DHS, OMB, and GSA on the feasibility of transitioning agencies to consolidated network architectures and shared IT services.

National Security Systems—as defined in 44 USC § 3552—are exempt from reporting to DHS and OMB, but the Secretary of Defense and Director of National Intelligence are required to implement the order to the extent feasible. The order mandates those agency heads report directly to the President within 150 days on risk mitigation and acceptance choices.

Section 2. Cybersecurity of Critical Infrastructure

Section 2 addresses federal support for the owners and operators of critical infrastructure. Again, this builds on President Obama’s 2013 executive order. President Trump’s order directs agency heads to identify authorities and mechanisms through which agencies can better support cybersecurity efforts of critical infrastructure, focusing primarily on “section 9 entities”—those defined in section 9 of President Obama’s 2013 executive order that are “at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” Additionally, the order requires agencies to seek input from section 9 entities.

Section 2 likewise mandates investigation and reporting by various agencies on federal policies to “promote market transparency of cybersecurity risk management practices by critical infrastructure entities,” on improving resilience to automated cyber threats, on response capabilities for power outages resulting from significant cyber incidents, and on cybersecurity risks to the defense industrial base and U.S. military systems.

Section 3. Cybersecurity for the Nation

The final substantive section addresses consumer cybersecurity, both in fostering a secure internet and in supporting the growth of a cybersecurity-trained workforce.

First, Section 3 requires eight executive department heads to jointly produce a report within 90 days detailing “the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threat.” Next, it mandates that the Secretaries of State, Treasury, Defense, Commerce, and Homeland Security submit reports to the President identifying their international cybersecurity priorities; within 90 days of those reports, the Secretary of State is to provide a report to the President “documenting an engagement strategy for international cooperation in cybersecurity.”

Finally, the order addresses the need for a cybersecurity-capable workforce. It requires relevant agency heads to “jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future,” the Director of National Intelligence to assess the “workforce development efforts of potential foreign cyber peers,” and the Secretary of Defense to evaluate “the sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in national-security-related cyber capabilities.”