Many were amused and astounded by the creation of an EXECTIVE ORDER for CYBERSECURITY. Put in place initially by POTUS #44 Barack Obama, we later received an updated version as Donald Trump POTUS #45, signed his EO on May 11, 2017, extending the original EO for CS. But what does this “order” really entail anyway? Let’s face it, Cybersecurity is now a big factor for us and it is not going anywhere until we invest into making it important in our lives. In this article I will break down the first section of the EXECTIVE ORDER. Pay attention to the dates and along the way take note of whether all agencies have done their part in submitting documents within 90 days, which should be the initial start to improving our Cyberscurity strategies in the US!
Here we go!
Section I as mentioned before is the Federal Networks Section. Section A within Section I simply singles out the federal government as the first era of receivers to this order that have no choice but to implement this by following directions and making their submissions timely. Section B gives findings and suggestions. It suggests first that when information is shared it must support awareness, detection, mitigation, and recovery from unauthorized attacks. It suggests that until now all federal IT-defense has been outdated and that at this point risk management must do more than simply protect data but also emphasize future improvements and modernization. It suggests that one source of depletion is “known unmitigated vulnerabilities”. In other words, workers being careless about configuring security patches that lead to risks. It places an emphasis on following directions supplied by vendors when configuring, especially security.
Finally, the findings suggest that the teams lead by agency heads and that they must be comprised of different experts fluent in budgets, human resources, law, privacy, acquisition, and security with which I can thoroughly agree! This section was easy and delightful to read as it sheds some light on the President and agencies involved in comprising this order that, recognizing the US IT-defense as outdated was important.
As we move further into section I geared towards the federal government, risk management is discussed, and we begin the hear exactly how NIST framework plays a factor in this development. Risk management means forecasting and evaluating financial risks with the identification of procedures to minimize their impact. First agency heads are again recognized and identified as the party responsible for risk management. They are instructed to analyze risks of unauthorized access, along with data and IT use, disclosure, modification, disruption, destruction, and disclosure. In a nutshell, they are responsible for all activities of risk management.
The proposed NIST Framework is then solidified as a part of this package and not only recommended but required to be of use to agencies, and a report is requested with these results by August 11, 2017 (90 days). The detailed report shall consist of clarification of choices accepted by agencies as the factor for risk mitigation. But what does this mean? Sometimes agencies choose not to mitigate the risk, the simply choose to accept that they have the risk but not to act on it. This can be extremely risky and this order requests that for all accepted choices made, that the agency is able to expand on how it may affect the strategies, budgets, and operations. As a Cybersecurity Specialists, this is a big whoopsie for me. It bears caution but also understanding. No, we don’t have to address every single risk but they may affect us in the future.
The agency is then requested to submit an action plan for how they will implement the NIST framework in their departments. After this is submitted the Secretary of DHS will assess the agency plans put in place and determine whether the approaches presented along with the accepted risks are appropriate for managing the overall executive branch enterprise. So, here in this section we see the importance of proper management of executive branch enterprise. We can assume that any submitted report that poses too much of a risk to this enterprise would be rejected and revisions would be requested along with articulation for what changes would need to be made. Or at least I would hope that this would be the case.
Finally, these reports would reach the hands of Donald Trump through his assistant at DHS. This final report would be aligned with budgetary needs for risk management along with generating a consistent procedure for reassessment of budgetary needs in the future. The DHS Assistant would have worked in collaboration with the Secretary of Commerce, OMB Director, and AGS, to present a plan to maintain a more secure and resilient IT architecture.
This section concludes by bringing attention to the fact that Agency heads should become more mindful when selecting shared IT services such as cloud, email, and cybersecurity services. It also notes the intended receipt of such a report compiled by the Director of American Technology that regards modernizing IT, describing the legal and budgetary ramifications for transitioning all agencies and their subsets, and assessing the effects of transitioning the agencies.
In a nutshell, the first portion of the EXECUTIVE ORDER is geared towards the federal government in hopes that the private sector would follow suit. However, we must first must be efficient in emphasizing the order within the federal government and analyzing its benefits to the federal government. In concluding this article I ask, has the federal government been hacked lately?
-Dominique Briscoe, M.S.C.T.