So by now hopefully most are aware of the recent Executive Order signed by President Trump. While not numbered, it came out May 11th, which was just before the planned NIST Cybersecurity Framework Workshop. Full title is "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure".
So let's take a look at it.
It has 5 sections. Sections 4 and 5 we can basically overlook. Sec4 is definitions, while Sec5 is General Provisions.
Section 1, 2, and 3 are what we are interested in. 1 deals with federal systems, 2 with "critical infrastructure", and 3 with national cybersecurity. Peppered throughout are a range of deadlines.
Section 1 is federal systems.
It kicks off with some findings, most of which I don't think many would be surprised. There is the issue of old and outdated systems. Risk management needing to be better utilized. Unaddressed vulnerabilities. And agency heads need to lead integrated teams to address these issues.
Then we get into directives. Some of these are interesting.
Agency heads will now be held accountable to implementing risk management. So will we see such heads getting fired if they fail to prevent breaches? Hopefully it will be those who didn't do basic stuff rather then those who did all they should and there was still a breach. (can't have 100% security)
Agencies now must use the NIST Cybersecurity Framework. AND provide a risk management report to DHS and OMB in the next 90 days. This is interesting, as agencies should be implementing FISMA. Is the NIST CSF being used as a sort of assessment tool?
Further on this DHS & OMB will assess these reports and will provide their own report to the President on this within 60 days. There is also wording about having plans to address any issues.
(please understand that I am summarizing and simplifying things in the EO. It goes into more details about who does what, and what these reports will include.)
There is then a part about the Executive Branch planning on building a "modern, secure, and more resilient executive branch IT architecture". This should be interesting. The first step is a report due in 90 days on how this can be achieved.
A lot of deadlines for a lot of groups. I found a good article on Bankinfosecurity with a nice table on all these deadlines, but can't seem to find it. Always how it is.
Interestingly, just after this EO came out, NIST released a DRAFT version of what they call an "inter-agency report" (#8170) outlining how federal agencies can use the NIST CSF. You can read it HERE.
Section 2 is about "critical infrastructure". Basically, these are vital PRIVATE (non-government) systems. So the tone here is a little different. Here is about supporting the efforts of such private companies to improve cybersecurity, again using the NIST CSF. This will be done by various agencies, including DHS, FBI, Commerce, etc. DHS has had a section on their website supporting cybersecurity for awhile, so check it out HERE.
Further they want to work on addressing "resilience against botnets and other automated distributed threats". I assume this includes stuff like ransomware and the like. Again, getting several agencies together and working with others DHS and Commerce takes the lead here and will have a report in 240 days.
They also want to address issues with our power grid and what is called "warfare industries".
Section 3 is about "cybersecurity for the nation" and has a hodge podge of things. There are some stuff about protecting the Internet and protecting the nation and people from cyber threats.
And "workforce development" is also touched on. Again, this idea of a "skills gap" and needing to train people in cybersecurity. NIST and other groups have been working on this topic in different areas. So we'll see what comes out of this. I'd really like to see all these efforts be a little more cooperative.
I recommend people take a look at this. There are some good overview articles out there. We'll see how this all shakes out in the coming months.