Executive Orders Require Review of Federal IT and Cybersecurity R

Anand Raj Shah

Email

202-230-5190

Bio and Articles

Find Your Next Job !

Litigation Paralegal
Greenberg Traurig, LLP

Legal Support Specialist
Greenberg Traurig, LLP

Chief Operating Officer / Business Manager
On Balance Search Consultants

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Explore More Job Openings

Executive Orders Require Review of Federal IT and Cybersecurity Resources

by: Anand Raj Shah of Faegre Drinker - Publications

Tuesday, May 16, 2017

Print Mail Download info_icon_img

/>i

The White House recently released two executive orders focusing on the government’s use of information technology and the need to assess cybersecurity threats to the country’s critical infrastructure. These executive orders highlight the importance of a more comprehensive and unified federal approach to cybersecurity issues, but aggressive timelines may create certain challenges, as noted below.

The American Technology Council

The first executive order, signed on April 28, 2017, establishes the American Technology Council (the "Council"), which will operate under the White House's Office of American Innovation. The Council is comprised of the president, vice president, the secretaries of Defense, Commerce and Homeland Security, as well as the Director of the Office of Management and Budget ("OMB"), National Intelligence, Office of Science and Technology Policy, and other government officials with technology-related portfolios.

The Council is tasked with coordinating the development of the vision and policy of the use of information technology by the federal government. It is also responsible for coordinating advice on information technology policy delivered to the president. This new role will take on additional importance in the near future in light of the government’s review of cybersecurity threats discussed below. Specifically, Section 7(d) directs the Director of National Intelligence to share classified information with the Council on “cybersecurity threats, vulnerabilities, and mitigation procedures.”

While the Council's authority to review the federal government's use of information technology is quite broad, it will not be permitted to review issues that relate to national security systems, or override the authority of government agencies and the OMB to develop agency-specific policies.

The Cyber Executive Order

The second executive order, signed on May 11, 2017, (the “Cyber EO”) requires a comprehensive review of the federal government's information technology resources, with the express goal of implementing cybersecurity risk management measures to protect federal networks and data. Every agency within the executive branch will be required to participate. Some agencies are required to produce multiple reports over the next nine to 12 months.

Risk Assessments:

First, each executive branch agency is required to conduct an assessment of its cybersecurity risks based on the Framework for Improving Critical Infrastructure Security (the “Framework") developed by the National Institute of Standards and Technology (NIST) in 2014. The Framework is currently being updated by NIST, with comments on the proposed changes having been submitted last month ("Version 1.1").¹ Because the Cyber EO requires that these reports be prepared by August 9, 2017, it is unclear whether Version 1.1 will be ready for agencies to use, or whether the 2014 Framework will be used.

The Secretary for Homeland Security and the Director of the OMB will review the risk assessments, which will be submitted in August 2017, and prepare a report by October 8, 2017, proposing a plan to address each agency’s (i) cybersecurity risks; (ii) unmet budgetary needs; and (iii) proposals to align the agency's policies, standards and guidelines with the Framework.

As the executive branch agencies conduct their risk assessments, the newly created American Technology Council, described above, is tasked with preparing a report by August 9, 2017, on the legal, policy and budgetary considerations associated with transitioning all executive branch agencies to shared IT services (including email, cloud and cybersecurity services). To complete this report, all executive branch agencies are directed to coordinate with and supply the Council with their current IT architectures.

Cybersecurity of Critical Infrastructure:

In addition to the risk assessments, the Cyber EO directs the preparation of reports assessing the cybersecurity of critical infrastructure entities. These reports are due as follows:

Reports	Due Date
Market Transparency of Cybersecurity Risk	August 9, 2017
Electricity Disruption Incident Response Capabilities	August 9, 2017
Department of Defense Warfighting Capabilities and Industrial Base	August 9, 2017
Critical Infrastructure at Greatest Risk	November 7, 2017
Resilience Against Botnets and Automated Distributed Threats	January 6, 2018

Cybersecurity of Nation:

The Cyber EO further addresses cybersecurity priorities to protect U.S. citizens on the internet and the development of a workforce skilled in cybersecurity. Additional reports are to be prepared and delivered to the president as follows:

Reports	Due Date
International Cybersecurity Priorities of Secretary of State, Defense, Commerce and Homeland Security	June 25, 2017
International Workforce Cybersecurity Education and Training	July 10, 2017
Deterring Adversaries and Protecting Americans from Cyber Threats	August 9, 2017
Domestic Workforce Cybersecurity Education and Training	September 8, 2017
International Cooperation and Engagement Strategy	September 23, 2017
Maintaining Advantage in National Security-Related Cyber Capabilities	October 8, 2017

These reports will require coordination and cooperation among federal agencies and cabinet-level departments within the executive branch. Not surprisingly, the Secretary of Homeland Security will be leading many of the efforts, along with the Secretary of Defense, the Director of the Federal Bureau of Investigation and the U.S. Attorney General.

The Cyber EO will require substantial coordination among the various executive branch agencies, White House staff and international partners. At least seven reports covering different subjects are required to be submitted by August 9, 2017, with an additional five reports due by January 2018.

These aggressive timelines may be difficult to meet because the NIST Framework is currently being revised and may not be ready for use by the executive branch agencies in the preparation of risk assessments due by August 9, 2017. As a result, it is unclear how useful the risk assessments will be in light of the outdated state of the 2014 Framework, and the substantial changes proposed in Version 1.1.

^{1. We reviewed the proposed changes in the Framework in here.}