Executive Director, Executive Advisory - Office of the CISO
Russell Pierce is an information technology, risk and information security executive with more than 30 years of experience in both the public and private sector. In his current role as an executive director within the Office of the CISO executive advisory team at Optiv, he works with federal chief information security officers and senior agency officials as a trusted advisor helping to assess, develop, guide and improve information security management programs while ensuring alignment with agency goals, objectives and obligations.
What Changes will EO 13800 Bring to Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure?
Anyone who has held the position of CIO or CISO in a government agency or bureau can tell you implementing an effective information risk management program has been more of a journey then a destination; and anyone who is surprised that we as a nation have struggled to protect our applications, data and infrastructure hasn’t been following the news.
At the turn of the century, the public and private sectors began building our next-generation information systems on open protocols that were inherently complex and difficult to secure. Though there have been many successes to note, there also have been significant failures that suggest we still have work to do.
For the public sector, the watershed moment came with the Office of Personnel Management (OPM) breach in 2015. In the wake of this incident, the federal government implemented shorter- and longer-term changes. These included patching vulnerable federal systems, strengthening identity management, upgrading antiquated infrastructure, investing in a cybersecurity workforce, and developing a cybersecurity framework to facilitate the sharing of information risks, controls and mitigation strategies between the public and private sector.
As the next leg of the journey begins, what changes will Executive Order (EO) 13800 bring to strengthen the cybersecurity of federal networks and critical infrastructure?
Information Risk Management Policy of the Executive Branch
The title, “EO 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” might lead you to believe the order is simply focused on infrastructure safeguards, but it is much more than that. EO 13800 is the president’s information risk management policy for the executive branch. The good news is that for most federal agencies the order contains very few surprises; many of the policies in the order fall in line with existing laws, prior executive orders, cross-agency priority (CAP) goals or other areas that should have been anticipated based on past events.
EO 13800 is broken down into five sections, three of which constitute the policy direction of the order. I’ll cover each separately.
Section 1 – Cybersecurity of Federal Networks
The president is holding agency heads responsible for the cybersecurity of their agency. Though it is now official, this point was made abundantly clear in 2015 after the OPM data breach and subsequent resignation of the secretary.
The use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is now required by all civilian agencies. For those that have already integrated their information risk management practices with the CSF, including alignment of their cybersecurity and privacy policies, there will be little impact. For those that haven’t integrated with the CSF, they will be required to develop and provide an implementation plan to the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) within 90 days of the EO (by August 9, 2017).
Each agency will be required to perform an initial risk assessment, the results of which must be provided to OMB and DHS for review within 90 days of the EO (by August 9, 2017). In addition to cataloging agency risks and mitigation strategies, OMB and DHS will be evaluating the risk mitigation and acceptance choices made by each agency. Of particular interest to OMB and DHS are risks being assumed by the agencies which have little or no mitigation strategy. A final report and recommendations will be provided to the Whitehouse 60 days after receipt of the agency risk reports and CSF implementation plans.
To reduce cybersecurity risks associated with antiquated technology, the administration plans to invest in the modernization of federal IT with an emphasis on shared IT services, including email, cloud and cybersecurity services.
The Modernizing Government Technology Act of 2017, H.R. 2227: MGT Act would be a significant source of funding.
The bill establishes a Technology Modernization Fund for technology related activities, improving information technology, and enhancing cybersecurity across the federal government. The bill passed in the House on May 17, 2017 and is currently awaiting consideration by the Senate.
The aforementioned policy and information requests also apply to National Security Systems as feasible and appropriate. This must be completed within 150 days of the order (by October 9, 2017).
Section 2 – Cybersecurity of Critical Infrastructure
Managing the cybersecurity risks of the nation’s critical infrastructure, which is owned and operated by the private sector, continues to be directed and implemented through a collaborative effort between the public and private sector. This could change if we have an event that undermines the nation’s security, economy, public health or safety.
Within 180 days of the EO (by November 7, 2017), federal agencies associated with critical infrastructure are being requested to explore what authorities and capabilities they have to assist the private sector and share this information with the owner/operators of critical infrastructure to identify what can be done to better identify and manage their cybersecurity risks.
Though the relationship may be, nominally, a collaborative effort, it is clear that the administration is exploring options to gain greater visibility into the risks and risk management practices of the owners/operators of the nation’s critical infrastructure, especially those that are publically traded or manage the electrical grid. To this end, DHS and the Commerce Department have been tasked with evaluating the sufficiency of current practices that promote market transparency of cybersecurity risks and risk management practices.
Section 3 – Cybersecurity for the Nation
As the section title suggests, the scope of this section is broad and strategic in nature. The administration’s policy is to ensure the viability and security of the Internet nation through investment in better deterrents, international cooperation, information sharing and a globally competitive cybersecurity workforce.
The tone at the top is clear and on point relative to the federal government’s challenges. The administration’s willingness to build their cybersecurity program by leveraging the many positive cybersecurity contributions, and lessons learned, from the prior administration are good decisions that will help them achieve their goals in a more efficient and effective manner. Exploring ways to ensure critical infrastructure owners and operators are doing their part to safeguard their assets and, being transparent about their cybersecurity risks is also a step in the right direction.
EO 13800 is a good start, but the road ahead is sure to be bumpy. Areas we will be watching over the coming months include:
- Agency high value assets, national security systems and critical infrastructure cybersecurity risks. How bad are they, and what will it take to address them?
- Passage of H.R. 2227: MGT Act, by October 1st, 2017. Will it pass, and if not, what will the contingency plan be to fill the cybersecurity budgetary void?
- State of agency integration with CSF. At this point it’s unclear where each agency and bureau stands relative to the implementation the CSF.
- Changes in cybersecurity budgets of appropriation bills signed by the House and Senate appropriation committees. Will the president’s recommended cybersecurity budget amounts remain intact, or will they be adjusted in the final bill sent to the president?
- Will the president sign appropriation bills with modified cybersecurity budget amounts, or will they be vetoed?
- Will an impasse between the president and congress lead to a government shutdown in October?
Look for more blog posts in the future related to this subject as things continue to change.