{ "id": "IN10707", "type": "CRS Insight", "typeId": "INSIGHTS", "number": "IN10707", "active": true, "source": "EveryCRSReport.com", "versions": [ { "source": "EveryCRSReport.com", "id": 461435, "date": "2017-05-18", "retrieved": "2017-05-24T16:17:48.133257", "title": "A Little Old, a Little New: The Cybersecurity Executive Order ", "summary": "The President signed Executive Order 13800 (EO) on May 11, 2017, titled \u201cStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure.\u201d Combined with the President\u2019s budget blueprint and recent EO establishing the American Technology Council, these documents lay out the Administration\u2019s policy agenda concerning national cybersecurity\u2014which to date focuses on improving federal information technology (IT) systems. The proposals contained in the EO echo proposals from the previous Administration and recent legislative activity.\nFederal Network Cybersecurity\nThe new EO reiterates policy established in the Federal Information Security Management Act (FISMA) that agency heads are responsible for managing risks to IT at their agencies. However, it goes further and establishes policy that the executive branch will manage cybersecurity risks as a single entity as a matter of national security. \nThe EO directs agencies to use the \u201cFramework for Improving Critical Infrastructure Cybersecurity,\u201d otherwise known as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (Framework), to manage the agencies\u2019 cybersecurity risks. The previous Administration did not explicitly direct agencies to follow the Framework, but used it to develop the metrics that CIOs and inspectors general continue to use to assess their agencies\u2019 progress in securing IT. NIST published a draft report shortly after the release of the EO to assist agencies in implementing the EO and applying the Framework to their systems. The Framework also identifies NIST Special Publications that federal agencies use to inform the security of their networks as references for the private sector to use in developing their cybersecurity risk management procedures.\nTo address agency cybersecurity as a national security issue, the EO directs agencies to evaluate risks to their systems (to include budgetary and system vulnerabilities) and report them to the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB). DHS and OMB in turn are directed to work with agencies to identify insufficiencies and develop a plan to mitigate cybersecurity risks to the federal enterprise as a whole. The EO does not discuss whether or not DHS\u2019s authority to issue binding operational directives to other agencies should be considered as part of that plan. \nConcerning IT modernization, the EO directs agency heads to procure shared services and the American Technology Council to report on considerations relevant to IT consolidation such as technical concerns and costs of moving to the cloud. These efforts are similar to the previous Administration\u2019s \u201ccloud first\u201d policy and the \u201cModernizing Government Technology Act of 2017\u201d (MGT Act, H.R. 2227), recently passed by the House. \nCritical Infrastructure Cybersecurity\nThe EO builds upon the previous administration\u2019s work towards critical infrastructure security and resilience in Presidential Policy Directive 21 (PPD-21) and EO 13636.\nSection 9 of EO 13636 directed DHS to identify critical infrastructure entities where a cybersecurity incident could result in a catastrophic impact, which DHS defines as billions of dollars in damages, thousands of fatalities, or a degradation of national security. EO 13636 prioritized expedited security clearances for these critical infrastructure entities. The EO required agencies to identify new ways for the government to support these entities. The number of entities identified as part of the Section 9 designation is expected to increase regardless of government action, because new investments in infrastructure and growth in the interconnectedness of that infrastructure will increase dependency.\nEO 13800 builds upon recommendations from the Commission on Enhancing Nation Cybersecurity and think tank recommendations on transparency in critical infrastructure cybersecurity risk management so that stakeholders may better understand risks. It also builds upon the FAST Act (P.L. 114-94) authorities and requires the government to plan for cyber incidents involving the energy sector. The government has developed plans for incident coordination and supply chain impacts which could assist in meeting this requirement. The EO additionally requires a review of cybersecurity risks to defense, which was partially required in the 2017 National Defense Authorization Act (NDAA, P.L. 114-328) and required as part of the National Infrastructure Protection Plan sector specific plans. \nEO 13800 newly requires the government to collaborate with public and private sector stakeholders in a process to identify ways to reduce threats caused by botnets and to encourage voluntary action by the private sector to both improve the resilience of the Internet and mitigate botnet attacks. \nNational Cybersecurity\nThe EO states that the policy of the Executive branch is to \u201cpromote an open, interoperable, reliable, and secure Internet ... while respecting privacy and guarding against disruption, fraud and theft.\u201d It also recognizes the public and private sector workforce as vital to achieving the policy goal. \nThe National Cybersecurity Enhancement Act directs NIST to coordinate cybersecurity awareness and education and to evaluate future cybersecurity workforce needs for both the public and private sector, including recruitment and retention issues. The EO reiterates these responsibilities and seeks further government collaboration on these efforts.\nThere are additional requirements for national cybersecurity. The EO recognizes U.S. dependency on a global Internet and requires the identification of priorities and engagement strategies which may build upon a recent Department of State international strategy, as required by the Cybersecurity Act of 2015. The 2017 NDAA requires a report on deterring adversaries in cyberspace and the EO requires a similar report. The EO requires the government to examine the cybersecurity workforce developments of other countries with a focus on those which may affect the U.S.\u2019s competitiveness, and to examine national-security-related cyber capabilities. Although not focused on national security capabilities, recent government strategies and plans concerning research and development have addressed some of these capabilities. \nDeliverables\nTable 1 outlines the deliverables included in the EO. The reports may be classified in full or in part, and required to be made available to the President. However, aside from one exception, noted below, none of the reports is required to be made available to the public or Congress. \nTable 1. Table of Deliverables from Cybersecurity Executive Order 13800\nDeliverable\nDue Date\nAgencies\nNotes\n\nReport on International Priorities\nJune 25, 2017\nDOS, Treasury, DOD, DHS DOJ, FBI\n\n\nReport on Findings from a Review of Foreign Cybersecurity Workforce Practices\nJuly 10, 2017\nDOC, DHS, DOD, DOL, Ed, OPM\nThis review will focus on practices that will likely affect the U.S.\u2019s long-term cybersecurity competiveness.\n\nReport on Agency Risk Management and Mitigation\nAugust 9, 2017\nIndividual agencies\nIndividual agency reports to DHS and OMB.\n\nReport on Modernizing Federal IT\nAugust 9, 2017\nAmerican Technology Council, NIST \nThis report is to include recommendations to transitioning to shared services, such as cloud computing.\n\nReport on Marketplace Transparency\nAugust 9, 2017\nDHS, DOC\n\n\nAssessment of Cyber Incident Response to the Electric Sector\nAugust 9, 2017\nDOE, DHS, DNI, state and local governments\n\n\nReport on Cybersecurity Risks to the Defense Industrial Base\nAugust 9, 2017\nDOD, DHS, FBI, DNI\n\n\nReport on Cybersecurity Deterrence Options\nAugust 9, 2017\nDOS, Treasury, DOD, DOJ, DOC, DHS, U.S. Trade Representative, DNI\n\n\nReport on Engagement Strategy for International Cooperation\nSeptember 23, 2017\nDOS, Treasury, DOD, DOC, DHS, DOJ, FBI, \n\n\nReport on Federal Risk Management and Mitigation\nOctober 8, 2017\nOMB, DHS, DOC, GSA\n\n\nReport on Modernizing National Security Systems\nOctober 8, 2017\nDOD, DNI\n\n\nReport on Growing and Sustaining the Cybersecurity Workforce of the Public and Private Sectors\nOctober 8, 2017\nDOC, DHS, DOD, DOL, Ed, OPM \n\n\nReport on Strategies to Improve National-Security-Related Cyber Capabilities\nOctober 8, 2017\nDOD, DOC, DHS, DNI\n\n\nReport on Support Critical Infrastructure at Greatest Risk\nNovember 7, 2017\nDHS, DOD, DOJ, DNI, FBI, sector-specific agency heads\n\n\nPreliminary Report on Efforts to Reduce Botnet Threats\nJanuary 6, 2018\nDOC, DHS, DOD, DOJ, FBI, sector-specific agency heads, FCC, FTC, stakeholders\nThis report shall be made publicly available.\n\nFinal Report on Efforts to Reduce Botnet Threats\nMay 11, 2018\nDOC, DHS\nFinal version of the report is to the President.\n\nSource: CRS analysis of The White House, \u201cPresidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,\u201d executive order, May 11, 2017, at https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal. \nNote: The lead agencies for the deliverables are italicized.", "type": "CRS Insight", "typeId": "INSIGHTS", "active": true, "formats": [ { "format": "HTML", "encoding": "utf-8", "url": "http://www.crs.gov/Reports/IN10707", "sha1": "1b8e3bf86133c70d8328da35af3f106662bc1088", "filename": "files/20170518_IN10707_1b8e3bf86133c70d8328da35af3f106662bc1088.html", "images": null } ], "topics": [] } ], "topics": [ "CRS Insights", "National Defense" ] }