The intent of this article series is to provide an understanding to non-IT citizens who wish to understand how the Cybersecurity Excecutive Order affects them and what is entailed in this order. This is a 5 series compilation of articles for the reason of expanding on each section with careful reasoning.
Pressing Forward into Section 2!
To the modern-day end user, the view of an infrastructure can be large or small. So, let’s expand our horizon now a little farther than infrastructures of small business, local government, and even some corporate companies. What Section 2 of the CS EO focuses on is handling security for those systems that are deemed critical to the safety of the country. We are talking about the infrastructures that affect our national security and our economic well-being. In fact, it would be better to think of these systems as our asset systems since they have such a huge effect on our lives. We’re talking about electrical generation, telecommunication, water supply, transportation, and so forth.
Anyway, I think you get my drift of the critical state of the systems that are referred to in Section 2 of the CS Executive Order. If you have followed my blog and my previous article, please do notice that these are the systems that we were referencing in the Section 1, as mentioned in part I. Only this time this entire section is dedicated to upkeep of this critical infrastructure instead how the federal government will operate.
When we begin with section A of Section 2, we see that it is simply acknowledging the policy that gives the executive branch of the government authority to support and assist in creating secure risk management procedures for these critical infrastructure entities (or businesses).
Section B, acknowledges that infrastructures with the greatest risks will cooperate with some federal agencies (listed in EO) that are identified by Secretary of Homeland Security. The purpose of this collaboration will be to identify and list out strategies that these federal agencies can use to support these entities. The primary concern is protection of data. The federal agencies also must be sure that all compiled areas (ex: operational, budgeting) can work together to make the plan a feasible plan that is aligned with all respective processes. At this point of the EO the NIST framework is referenced and set as a requirement for these agencies to follow.
So, what is the purpose of the NIST framework?
One challenge that is commonly noted in IT and CS is the inability to collaborate on a generic basis. In other words, vendors all have differing frameworks and templates. This can create confusion and excess work. It is my opinion that the EO insisting upon the adoption of such a framework to parallel the agencies and the private sector companies that choose to use this approach, can be a viable approach to retaining a general understanding of all entities involved. It creates a generic route and if problems arise we have a generic template to utilize for a clear understanding of system configuration. In CS we would refer to this process as baselining. But of course, this can be discussed in other articles.
Anyway, back to the point, section B! So, in this request to use the NIST framework there is also a request for risk management reports within 90 days. The important aspects that need to be addressed in this report include presenting of system insufficiencies, addressing budgetary needs that have not been met, and identifying accepted risk, along with unmitigated vulnerabilities. It is also important that systems are reassessed periodically, flexibility is given for changes that may need to be made, and assuring that the presented policies of course are aligned with the NIST framework.
As we move on through sections B and into section C through the EO we see that Section 1 is very similar to Section 2. After specifics in dealing with the critical infrastructure is addressed, we see that these proposals once again sent through channels for approval. These channels include the Secretary of Homeland Security, the Director of OMB, and other executive offices of the federal government. The Director of American Technology Council prepares a report with such offices and it will again describe the effects of such a transition so that all considerations can be made, and the overall effect can be realistically viewed. It is not an easy task to parallel the communication for critical infrastructures within an entire nation such as ours, and it must be done carefully with guided expertise behind every decision.
In conclusion, Section B ends by delegating the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism as those responsible for supreme implementation. This means they would implement, monitor, evaluate, and improve this critical infrastructure in accordance with this Executive Order.
-Dominique Briscoe, M.S.C.T