This article highlights the extensive assessment reporting requirements in the May 11 White House Executive Order. Much of the agency reporting is due in mid-August. Join us at the 8th Annual Billington CyberSecurity Summit held the next month on Sept. 13, 2017 to find out more about next steps stemming from the EO. Plus, Rob Joyce, the White House Cybersecurity Coordinator and Special Assistant to the President, will keynote.
The White House Executive Order on Cybersecurity released last week establishes a number of deadlines for department and agencies to assess cybersecurity risk and IT requirements. Also on the agenda are reports on ways to strengthen critical infrastructure and the cybersecurity workforce.
Federal agencies must complete and submit risk management reports to the Secretary of Homeland Security and the director of the Office of Management and Budget within 90 days.
According to the executive order, the risk management reports will document the “risk mitigation and acceptance choices made by each agency head as of the date of this order.”
These agency assessments will be reviewed by the Secretary of Homeland Security and the Director of the Office of Management Budget. After that, OMB and DHS have 60 days to submit to the President a plan to protect the executive branch, and address immediate budget concerns and recurring unmet budget needs.
The Executive Order states that agency heads are held accountable for implementing cybersecurity risk management in their agencies.
National security systems will undergo a review by the Secretary of Defense and the Director of National Intelligence and report on how they will implement shared IT services. The report shall include a justification for any deviation from the requirements of shared IT services. This report is due within 150 days of the date of the EO.
Federal IT Modernization
The EO calls upon the Director of the American Technology Council to coordinate a report from the Secretary of DHS, the Director of OMB and the Administrator of General Services Administration, consulting with the Commerce Secretary on modernizing Federal IT. This report, like the agency reports, is due in 90 days from the signing of the EO.
The report will describe the “legal, policy, and budgetary considerations and technical feasibility and cost effectiveness, including timelines and milestones, of — transitioning all agencies, or a subset of agencies, to one or more consolidated network architectures and shared IT services, including email, cloud, and cybersecurity services.”
The EO also calls for reports on the threats posed by botnets within 240 days. The Secretary of Commerce and the Secretary of Homeland Security are given this task. The EO says at a later date the government will publish a report on how the US intends to combat the threat.
The electrical grid is singled out for a report from the Secretary of Energy and the Secretary of Homeland Security on the threat by hackers on the nation’s electrical system. This report, like many others, is due in 90 days.
Similarly, the Secretaries of Defense and Homeland Security and the head of the FBI have a similar period to review the resilience of the nation’s military and industrial base to attack.
A report on securing the Internet is assigned to the Secretaries of State, the Treasury, Defense, Commerce, Homeland Security, the Attorney General, the United States Trade Representative, and the Director of National Intelligence with a 90-day deadline.
And within 45 days, the EO asks for a report on how the US can work with other countries to secure the Internet. The Secretaries of State, the Treasury, Defense, Commerce, and Homeland Security, in coordination with the Attorney General and the Director of the FBI are given this assignment.
Workforce development is also on the reporting agenda. The Secretaries of Commerce, Homeland Security, Defense, Labor, Education, the Director of the Office of Personnel Management, and maybe some other agencies will report within 120 days on efforts to educate and train the American cybersecurity workforce.
In the meantime, the Director of National Intelligence has 60 days to produce a report analyzing other countries’ efforts to train an IT security workforce.
Become a sponsor at the 8th Annual Billington CyberSecurity Summit, Sept. 13, 2017
Contact Peggy Holland: