Secretaries, Directors to Be Held Responsible for Their Agencies’ IT Security
President Donald Trump has signed a long-awaited executive order that places responsibility for cybersecurity on departmental secretaries and agency directors and emphasizes the use of risk management throughout the federal government to secure digital assets.
See Also: Balancing Fraud Detection & the Consumer Banking Experience
“Because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise,” says the executive order, issued May 11. “Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources.”
The executive order, prepared after the release of several earlier drafts, also calls for the modernizing of federal information technology. New technologies are seen as more secure than older ones. The modernization program will be led by the American Technology Council headed by Jerod Kushner, Trump’s son-in-law and assistant to the president.
Among other provisions, the executive order calls for:
- Requiring each federal agency to use the cybersecurity framework developed by the National Institute of Standards and Technology (see NIST Issues Draft of Revisions to Cybersecurity Framework );
- Identifying federal capabilities that could be used to help companies that operate portions of the nation’s critical infrastructure to defend their information systems and data;
- Promoting processes to improve resilience of the internet and communications ecosystem to dramatically reduce threats perpetrated by botnets;
- Assessing electricity disruption incident response capabilities; and
- Identifying risks facing the defense industrial base.
The executive order calls on the secretaries of commerce and homeland security, working with other agencies, to assess the scope of efforts to train the American cybersecurity workforce, including cybersecurity-related education curricula, training and apprenticeship programs, from primary through higher education.
It also directs the director of national intelligence to review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness.
Most of the provisions are stated as directives requiring specific agencies to report to the president within certain deadlines that range from 45 to 240 days.
“The United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace,” the executive order says.
The original draft of the executive order had called for the military to play a more active role in protecting federal government and critical infrastructure information technology, but that provision was excised in later drafts and the final version because of the widespread belief among many stakeholders that civilian cybersecurity shouldn’t be overseen by the defense department (see Revised Cybersecurity Executive Order Seen as More Moderate).