President Donald Trump’s executive order on cybersecurity, signed May 11, has received praise from both Congress and industry for continuing the progress of the previous administration and focusing on the issues of workforce development, IT modernization, and implementation of the NIST Cybersecurity Framework.
“We are encouraged by the approach outlined in the Cybersecurity Executive Order, which takes another important step forward as part of a continual arc of bipartisan cybersecurity policy progress from successive administrations and bipartisan legislation passed by Congress in the last few years,” said Ryan Gillis, vice president of Cybersecurity Strategy and Global Policy at Palo Alto Networks. “In particular, we applaud its focus on cybersecurity risk management, enhancing partnerships with the private sector critical infrastructure community, and its emphasis on modernizing government IT networks to leverage shared and cloud-based cybersecurity services.”
“Cybersecurity is critical to national security, and [the] executive order shows that President Trump is taking the matter seriously,” said Rep. Lamar Smith, R-Texas. “This executive order gives Federal agencies the right direction, goals, and priorities to keep America safe.”
The executive order requires agencies to use the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), which was previously voluntary, to conduct risk evaluations on agency systems.
Smith applauded Rep. Ralph Abraham’s, R-La., NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, which would require NIST to assist agencies in framework adoption.
NIST has already released a draft Implementation Guidance to help agencies apply the Framework to their needs.
“We applaud the president for this big step forward in improving our country’s security,” said Orion Hindawi, CEO of Tanium. “Requiring all agencies to implement the NIST Framework and document their risk is key to spurring a broader cybersecurity push across government. We look forward to working with all our Federal partners as they work to meet these new standards.”
“An enormous amount of effort has gone into building the National Institute of Standards and Technology Framework, and we applaud the executive order’s mandate for use by Federal agencies,” said Tony Cole, CTO of Global Government at FireEye. “We hope the framework will continue to evolve as the efforts of cyber adversaries evolve. If properly designed and implemented, the framework can have a major positive impact on the security posture for many organizations. Some agencies, though, simply don’t have the needed expertise due to a global shortage of experts to implement the framework and should look to cloud services from suppliers with the much-needed skills.”
The executive order also places importance on modernizing IT systems to ensure security, though it does not include requirements or suggestions for funding that modernization.
“Obviously IT modernization is a critical need, but my main concern is the lack of any additional funding associated with the effort. It asks agencies to catalog what needs to be improved then budget accordingly. I’m not so sure that’s very different than what’s happening now,” said Chris Townsend, vice president of Federal at Symantec. “I’m hopeful having outdated systems detailed in the reports required by the EO will help Congress see the magnitude of the issue and appropriate the funds to help.”
Both Cole and Gillis encouraged government engagement with the private sector on modernization efforts, and Gillis said that industry innovation will be “critical in replacing legacy Federal IT systems with next-generation solutions.”
The executive order also requires increased involvement by agency leadership, and establishes new reporting requirements on agency compliance and government preparedness for a cyberattack.
“The direct involvement of agency heads in the strategy and deployment of risk assessment and mitigation activities was good to see,” said Cole. “We believe this is a much-needed step in the right direction and can have a significant impact if proper resources and attention is given to this new requirement from the agency head down through the organization.”
Townsend also encouraged agencies to not think of the reporting requirements as a compliance exercise.
“If you view something as a compliance exercise, that’s what it becomes,” said Townsend. “It’s incumbent on agency leadership to use the EO as a catalyst to meaningfully improve security posture.”