President Donald Trump on Thursday released a final version of his long-awaited cybersecurity executive order, which emphasizes risk management, critical infrastructure resilience, cyber deterrence and U.S. cyber workforce development.
Like the draft EO, the finalized version states that, "The executive branch has for too long accepted antiquated and difficult-to-defend IT."
The EO mandates a comprehensive review of cybersecurity across federal networks — both the civilian .gov and the defense .mil domains — as well as the nation's critical infrastructure.
The EO holds executive department and agency heads accountable for the cybersecurity of their enterprises. The EO charges these leaders with responsibility for "implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of IT and data."
The finalized document is divided into three main sections, including "Cybersecurity of Federal Networks," "Cybersecurity of Critical Infrastructure" and "Cybersecurity for the Nation." Each section details a set of required assessments, reports, plans and recommendations to be completed by federal executives, either individually or jointly. The EO stipulates a deadline for each deliverable, with some requiring milestones and timelines for implementation.
The first section of the EO addresses federal networks, with a pronounced emphasis on risk management. The EO mandates that agencies implement the National Institute of Standards and Technology's (NIST's) Cybersecurity Framework. The Framework, first released in February 2014 and since updated, has been widely praised by federal and commercial cybersecurity professionals.
The EO defines risk management to include traditional cybersecurity activities, such as malware detection and incident response, as well as maintaining, improving and modernizing federal IT infrastructure. The EO notes, "Information sharing facilitates and supports all of these activities."
Risk management also entails addressing "known vulnerabilities" by implementing security patches, ensuring secure configurations and updating software and hardware that have reached their end of life. A technology's end of life is marked by its vendor ceasing support, such as issuing security patches.
The EO notes that "effective risk management" requires "integrated teams" with expertise that spans IT, security, budgeting, acquisition, law, privacy and human resources.
Specifically, the EO requires all federal agency heads to submit a risk management report to the DHS Secretary and the Director of the Office of Management and Budget within 90 days. The risk management report must document each agency's risk mitigation and acceptance choices, the considerations that informed those choices, any accepted risk and the action plan for implementing the NIST Framework.
Within 60 days of receiving each agency's risk management report, the DHS Secretary, OMB Director, Secretary of Commerce and Administrator of General Services must submit to the president a determination on each agency's risk report. In addition, the federal executives will present a joint plan to protect the executive branch enterprise, bridge budgetary gaps, develop a risk management process, reconcile the plan with United States Code (chapter 35, subchapter II of title 44) and align with the NIST Framework.
The EO declares that, effective immediately, the executive branch's policy is "to build and maintain a modern, secure and more resilient executive branch IT architecture." To this end, agency heads must "show preference in procurement" for shared IT services, including email, cloud and cybersecurity.
The EO orders a report on modernizing federal IT to be submitted to the president within 90 days. The modernization report will "describe the legal, policy and budgetary considerations relevant to – as well as the technical feasibility and cost effectiveness, including timelines and milestones, of – transitioning all agencies, or a subset of agencies, to one or more consolidated network architectures and shared IT services ..." The same report must assess how cybersecurity at agencies will be impacted by shared IT services.
As in last week's draft, the Defense Secretary and DNI are required to implement the EO's mandates on their networks "to the maximum extent feasible and appropriate." Within 150 days, the Defense Secretary and DNI will report on their implementation of the EO's mandates and "a justification for any deviation."
The EO mandates a risk-based assessment of the nation's critical infrastructure "at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security or national security."
To this end, the EO requires a joint report from federal executives within 180 days that includes recommendations on how the federal government can better support risk management of critical infrastructure owners and operators. The view that cybersecurity of private critical infrastructure ultimately rests with owners and operators, not the federal government, is consistent with past federal policy.
To this end, the DHS Secretary and Secretary of Commerce must report to the president, within 90 days, "on the sufficiency … of market transparency of cybersecurity risk management practices by critical infrastructure entities, focusing on publicly traded owners and operators of critical infrastructure."
The EO requires the DHS Secretary and Secretary of Commerce to jointly lead a process designed "to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets)." A report on these efforts will be due to the president within 240 days, followed by a final report due within a year.
In addition, the EO requires the Energy Secretary and DHS Secretary to lead an assessment of the "the potential scope and duration of a prolonged power outage associated with a significant cyber incident." The same assessment will report on the readiness of U.S. incident response and any "gaps or shortcomings in assets or capabilities" that would be required to mitigate such an incident. The report is due within 90 days.
The Defense Secretary, DHS Secretary, FBI Director and DNI are to report within 90 days on cybersecurity risks to the defense industrial base, including "its supply chain, and United States military platforms, systems, networks and capabilities, and recommendations for mitigating these risks."
The final policy section of the EO outlines the administration's vision for the internet, cyber deterrence, international cooperation and a U.S. cyber workforce.
Regarding the internet, the order states that U.S. policy is "to promote an open, interoperable, reliable and secure internet that fosters efficiency, innovation, communication and economic prosperity, while respecting privacy and guarding against disruption, fraud and theft."
On cyber deterrence and protection, the EO requires eight federal executives to develop a joint report "on the nation's strategic options for deterring adversaries and better protecting the American people from cyber threats."
In addition, the EO requests a report on suggested actions for developing international cybersecurity priorities, such as "investigation, attribution, cyber threat information sharing, response, capacity building and cooperation." Separately, the Secretary of State is charged with reporting on "an engagement strategy for international cooperation in cybersecurity."
Finally, the EO advocates for cybersecurity education and skilled cybersecurity workers. To this end, the EO requires a joint assessment of "the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training and apprenticeship programs, from primary through higher education."
It requires a report on "findings and recommendations regarding how to support the growth and sustainment of the nation's cybersecurity workforce in both the public and private sectors."
It orders the defense and federal civilian communities to "assess the scope and sufficiency of U.S. efforts to ensure U.S. national security-related cyber capability advantage."
Reaction to the executive order has so far been mixed.
Sen. Ron Johnson, R-Wis., chairman of the Senate Homeland Security and Governmental Affairs Committee, was mainly positive and said he was glad to see Trump prioritizing cybersecurity. "We must ensure that our data is secure, and our critical infrastructure is not vulnerable to attacks," Johnson said.
Sen. John McCain, R-Ariz., chairman of the Senate Armed Services Committee, was more critical. He said, "The fact is that the challenges we confront are well-known and well-documented. We do not need more assessments, reports and reviews. We need policy, strategy and the resources to carry them out."