The President signed Executive Order 13800 (EO) on May 11, 2017, titled "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure." Combined with the President's budget blueprint and recent EO establishing the American Technology Council, these documents lay out the Administration's policy agenda concerning national cybersecurity—which to date focuses on improving federal information technology (IT) systems. The proposals contained in the EO echo proposals from the previous Administration and recent legislative activity.
The new EO reiterates policy established in the Federal Information Security Management Act (FISMA) that agency heads are responsible for managing risks to IT at their agencies. However, it goes further and establishes policy that the executive branch will manage cybersecurity risks as a single entity as a matter of national security.
The EO directs agencies to use the "Framework for Improving Critical Infrastructure Cybersecurity," otherwise known as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (Framework), to manage the agencies' cybersecurity risks. The previous Administration did not explicitly direct agencies to follow the Framework, but used it to develop the metrics that CIOs and inspectors general continue to use to assess their agencies' progress in securing IT. NIST published a draft report shortly after the release of the EO to assist agencies in implementing the EO and applying the Framework to their systems. The Framework also identifies NIST Special Publications that federal agencies use to inform the security of their networks as references for the private sector to use in developing their cybersecurity risk management procedures.
To address agency cybersecurity as a national security issue, the EO directs agencies to evaluate risks to their systems (to include budgetary and system vulnerabilities) and report them to the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB). DHS and OMB in turn are directed to work with agencies to identify insufficiencies and develop a plan to mitigate cybersecurity risks to the federal enterprise as a whole. The EO does not discuss whether or not DHS's authority to issue binding operational directives to other agencies should be considered as part of that plan.
Concerning IT modernization, the EO directs agency heads to procure shared services and the American Technology Council to report on considerations relevant to IT consolidation such as technical concerns and costs of moving to the cloud. These efforts are similar to the previous Administration's "cloud first" policy and the "Modernizing Government Technology Act of 2017" (MGT Act, H.R. 2227), recently passed by the House.
The EO builds upon the previous administration's work towards critical infrastructure security and resilience in Presidential Policy Directive 21 (PPD-21) and EO 13636.
Section 9 of EO 13636 directed DHS to identify critical infrastructure entities where a cybersecurity incident could result in a catastrophic impact, which DHS defines as billions of dollars in damages, thousands of fatalities, or a degradation of national security. EO 13636 prioritized expedited security clearances for these critical infrastructure entities. The EO required agencies to identify new ways for the government to support these entities. The number of entities identified as part of the Section 9 designation is expected to increase regardless of government action, because new investments in infrastructure and growth in the interconnectedness of that infrastructure will increase dependency.
EO 13800 builds upon recommendations from the Commission on Enhancing Nation Cybersecurity and think tank recommendations on transparency in critical infrastructure cybersecurity risk management so that stakeholders may better understand risks. It also builds upon the FAST Act (P.L. 114-94) authorities and requires the government to plan for cyber incidents involving the energy sector. The government has developed plans for incident coordination and supply chain impacts which could assist in meeting this requirement. The EO additionally requires a review of cybersecurity risks to defense, which was partially required in the 2017 National Defense Authorization Act (NDAA, P.L. 114-328) and required as part of the National Infrastructure Protection Plan sector specific plans.
EO 13800 newly requires the government to collaborate with public and private sector stakeholders in a process to identify ways to reduce threats caused by botnets and to encourage voluntary action by the private sector to both improve the resilience of the Internet and mitigate botnet attacks.
The EO states that the policy of the Executive branch is to "promote an open, interoperable, reliable, and secure Internet ... while respecting privacy and guarding against disruption, fraud and theft." It also recognizes the public and private sector workforce as vital to achieving the policy goal.
The National Cybersecurity Enhancement Act directs NIST to coordinate cybersecurity awareness and education and to evaluate future cybersecurity workforce needs for both the public and private sector, including recruitment and retention issues. The EO reiterates these responsibilities and seeks further government collaboration on these efforts.
There are additional requirements for national cybersecurity. The EO recognizes U.S. dependency on a global Internet and requires the identification of priorities and engagement strategies which may build upon a recent Department of State international strategy, as required by the Cybersecurity Act of 2015. The 2017 NDAA requires a report on deterring adversaries in cyberspace and the EO requires a similar report. The EO requires the government to examine the cybersecurity workforce developments of other countries with a focus on those which may affect the U.S.'s competitiveness, and to examine national-security-related cyber capabilities. Although not focused on national security capabilities, recent government strategies and plans concerning research and development have addressed some of these capabilities.
Table 1 outlines the deliverables included in the EO. The reports may be classified in full or in part, and required to be made available to the President. However, aside from one exception, noted below, none of the reports is required to be made available to the public or Congress.
Table 1. Table of Deliverables from Cybersecurity Executive Order 13800
|
Deliverable |
Due Date |
Agencies |
Notes |
|
Report on International Priorities |
June 25, 2017 |
DOS, Treasury, DOD, DHS DOJ, FBI |
|
|
Report on Findings from a Review of Foreign Cybersecurity Workforce Practices |
July 10, 2017 |
DOC, DHS, DOD, DOL, Ed, OPM |
This review will focus on practices that will likely affect the U.S.'s long-term cybersecurity competiveness. |
|
Report on Agency Risk Management and Mitigation |
August 9, 2017 |
Individual agencies |
Individual agency reports to DHS and OMB. |
|
Report on Modernizing Federal IT |
August 9, 2017 |
American Technology Council, NIST |
This report is to include recommendations to transitioning to shared services, such as cloud computing. |
|
Report on Marketplace Transparency |
August 9, 2017 |
DHS, DOC |
|
|
Assessment of Cyber Incident Response to the Electric Sector |
August 9, 2017 |
DOE, DHS, DNI, state and local governments |
|
|
Report on Cybersecurity Risks to the Defense Industrial Base |
August 9, 2017 |
DOD, DHS, FBI, DNI |
|
|
Report on Cybersecurity Deterrence Options |
August 9, 2017 |
DOS, Treasury, DOD, DOJ, DOC, DHS, U.S. Trade Representative, DNI |
|
|
Report on Engagement Strategy for International Cooperation |
September 23, 2017 |
DOS, Treasury, DOD, DOC, DHS, DOJ, FBI, |
|
|
Report on Federal Risk Management and Mitigation |
October 8, 2017 |
OMB, DHS, DOC, GSA |
|
|
Report on Modernizing National Security Systems |
October 8, 2017 |
DOD, DNI |
|
|
Report on Growing and Sustaining the Cybersecurity Workforce of the Public and Private Sectors |
October 8, 2017 |
DOC, DHS, DOD, DOL, Ed, OPM |
|
|
Report on Strategies to Improve National-Security-Related Cyber Capabilities |
October 8, 2017 |
DOD, DOC, DHS, DNI |
|
|
Report on Support Critical Infrastructure at Greatest Risk |
November 7, 2017 |
DHS, DOD, DOJ, DNI, FBI, sector-specific agency heads |
|
|
Preliminary Report on Efforts to Reduce Botnet Threats |
January 6, 2018 |
DOC, DHS, DOD, DOJ, FBI, sector-specific agency heads, FCC, FTC, stakeholders |
This report shall be made publicly available. |
|
Final Report on Efforts to Reduce Botnet Threats |
May 11, 2018 |
DOC, DHS |
Final version of the report is to the President. |
Source: CRS analysis of The White House, "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," executive order, May 11, 2017, at https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.
Note: The lead agencies for the deliverables are italicized.