The midway point to the cybersecurity executive order deadline passed last week. If an agency is behind schedule, how can they catch up?
On May 11, President Trump issued an executive order (EO) that makes each agency head directly accountable for the cybersecurity of their organization. According to SecurityInfoWatch, “Leading security and risk experts are saying this is the most aggressive executive order related to cybersecurity ever presented and is quite specific with regards to responsibility and accountability in addressing the challenges identified in the order… Agencies and departments have 90 days to provide a report of their risk management efforts, identifying risk mitigation and acceptance choices, including strategic, operational and budgetary considerations that led to those choices and what are any of the accepted risks, including from unmitigated vulnerabilities.”
While most analysts have given favorable reviews of the EO, some suggest it goes too far in requiring detailed reporting that may not result in any long-term changes, while others believe it omits changes that could make an immediate difference. Examples include moving massive amounts of government data to cloud providers with the strongest security measures available could dramatically increase resilience, and expanding incentives to encourage young people to pursue a career in cybersecurity could fill the huge need for trained professionals. While these suggestions make sense, the EO as it stands will create substantial momentum and could begin an ongoing elevation of the government’s ability to deal with cyber threats.
The executive order defines three major initiatives. The first initiative is assessing and upgrading federal networks, but achieving compliance on this presents significant challenges to agencies. Even though the prescribed assessment framework developed by NIST (commonly known as Cybersecurity Framework, or CSF) was created by a fellow federal agency, most agencies have little experience in using it. The CSF has become widely recognized as the “gold standard” for evaluating the cyber maturity of an organization, but it doesn’t spell out how to implement it effectively by assigning responsibilities to key groups and individuals.
“The executive order talks about cybersecurity being a ‘team sport’,” according to Rod Turk, acting CIO and chief information security officer of the department of Commerce. “You’re not going to get anything done unless everyone is on the same page… in my opinion, the most important part of the executive order.”
Ideally, every agency should have assembled a broad cross-functional team by now to begin gathering information needed to create reports required by the EO to be sent to the Office of Management and Budget. For those who haven’t, organizing efforts into the following 10 cyber considerations drawn from NIST-compatible Cybersecurity Capability Maturity Model will help in formulating an execution plan:
- Risk Management
- Asset Change & Configuration Management
- Identity & Access Management
- Threat & Vulnerability Management
- Situational Awareness
- Information Sharing & Communication
- Event & Incident Response/Continuity of Operations
- External Dependency Management
- Workforce Management
- Cybersecurity Program Management
Once the team has been defined, gathering the information presents the next challenge. For an agency that hasn’t worked with the CSF before, it takes time to absorb it all and decide how to implement it. Starting as soon as possible if this isn’t already in motion will help give the designated team time to digest and accurately organize to better report on required line items.
The second initiative involves five types of reporting on critical infrastructure, with tasks assigned to specific agencies. Each of the named agencies should be well down the path to responding on these specific reports.
- Critical Infrastructure Entities – This requires certain agencies to support improvements to prescribed critical infrastructure entities, including engaging with those entities to evaluate how they can be helped and encouraged to improve their cybersecurity efforts.
- Cybersecurity Transparency – This report addresses current federal policies and procedures to require greater transparency with respect to cyber maturity, especially focused on publicly traded companies.
- Internet and Communication Resilience – This mandates that Departments of Commerce and Homeland Security encourage actions, including information sharing, that will make our internet and communications ecosystem more resilient.
- Electric Subsector Outages – In this report, relevant agencies need to assess the probability of widespread outages and our readiness to recover from them.
- Defense Industrial Base – This requires the Department of Defense and the Department of Homeland Security, with FBI coordinating with the Director of National Intelligence, to recommend actions that protect the entire defense industrial base ecosystem.
The third initiative of the EO is reporting on options for deterring cyber adversaries and protecting the country from cyber threats, including international cooperation and ways to accelerate growth of the cybersecurity workforce in the U.S. The Director of National Intelligence is tasked with overseeing this effort, and they are likely moving quickly to ensure they meet the deadline.
The first initiative seems the most challenging to meet and the least likely to be completed before the deadline. It applies to every agency, large and small, and it requires most agencies to learn and apply NIST’s CSF. For agencies wanting to catch up and meet the EO deadline, Cybernance announced concurrent with the executive order the availability of a SaaS platform that automates NIST CSF assessment and reporting. Each agency must submit an action plan for implementing NIST CSF assessment by August 9, which is 40 days from now. The automation from Cybernance’s Platform enables an initial assessment that can be completed in 30 days or less, which can dramatically de-risk organizational plans and help agency heads meet the impending deadline.
Almost any initiative taken to address cyber resilience can and will be criticized. A specific mandatory action has now been taken to address what Warren Buffett believes is a bigger threat to humanity than nuclear weapons. Astute agency heads have the opportunity to get behind the EO and elevate their cybersecurity practices by moving rapidly to assess their status and improve their cyber resilience – and be compliant to the deadline.