The long-awaited and oft-delayed cyber executive order from the new presidential administration was finally signed....
And while experts applauded its focus on cyber-risk management, many said the devil will be in the details.
After months of delays, President Donald Trump signed the new cybersecurity executive order on Thursday, and experts immediately noted that the order points to a new direction for government cybersecurity efforts. The cyber executive order reiterated that each federal agency and department head will be held accountable for cybersecurity, and it laid out requirements for in-depth reports and plans from each, which will be audited by the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS).
Mike Shultz, CEO at Cybernance Corp., a cyber-risk management company based in Bee Cave, Texas, said the cybersecurity executive order marks "a dramatic cultural shift in the way the federal government is looking at cybersecurity."
"Currently, all federal agencies have their own cybersecurity processes in place to protect their own systems. Trump's order mandates that the security of federal agencies has to be controlled on an entire enterprise level -- instead of building security protocols for specific systems, all people, processes and policies within the agency must be analyzed and reported on," Shultz told SearchSecurity via email. "We've never had a mandate that requires agencies to build a comprehensive risk and mitigation report for their organization and then report to the Department of Homeland Security and the director of the Office of Management and Budget."
According to the cyber executive order, federal agencies and departments will have 90 days to provide a report regarding cyber-risk management efforts. From each of these reports, OMB will have 60 days to provide the president with an accounting and plan for the budgetary requirements necessary to manage risk, address budget gaps and identify policy changes needed to enforce the NIST Cybersecurity Framework.
Jess Richter, chief revenue officer of DarkLight Cyber, a cybersecurity analytics company based in Santa Monica, Calif., said plans like these are invaluable and "should have been in place years ago."
"[The cyber executive order] asks for a plan to protect the agency and to establish regular risk management evaluations in alignment with the NIST framework within 60 days. If the agency is struggling with priorities, then this should clarify it," Richter told SearchSecurity via email. "Cybersecurity audits [and] risk-mitigation plans are a real part of every enterprise -- and the agencies [and] departments should be scrutinized for this. In the commercial world, the plans are part of assessing real business risk and aren't simply nice to have."
However, Kevin Magee, global security strategist at Gigamon Inc., based in Santa Clara, Calif., said the act of writing these reports could be more important than the reports themselves.
The NIST Cybersecurity Framework helps navigate the modern threat landscape.
"The more interesting question will be how agency and department heads approach their response to the requirement to document the risk mitigation and acceptance choices they have made to date and the strategic, operational and budgetary considerations that informed those choices," Magee told SearchSecurity. "This directive forces agency and department heads to not only take ownership of their current cybersecurity posture, but also to demonstrate the degree to which they have strategically viewed cybersecurity risk and upon which factors they have prioritized their decisions. I think this will be an invaluable exercise."
Leo Taddeo, former special agent in charge of the special operations cyber division of the New York FBI office and current CISO of Cyxtera Technologies Inc., based in Coral Gables, Fla., worried about the role of DHS in the plans.
"The order is not a plan to fix the federal government's cybersecurity challenges. Instead, it's a directive to each agency to implement the NIST framework to assess the agency's cyber-risks and create plans to mitigate them," Taddeo told SearchSecurity. "The task of judging the adequacy of the assessments and the plans falls on DHS and OMB. This is a risky approach, given DHS' questionable track record in cybersecurity."
Missing details of the cybersecurity executive order
John Kronick, director of ATG cybersecurity solutions for Stratiform, a cloud services company based in Calgary, Alta., said accomplishing the cyber executive order requirements in this timeline is a "tall order."
"Since the NIST Cybersecurity Framework [CSF] has been out for several years, it has gone through revision, but has not been implemented on a consistent or comprehensive basis, and the efforts to measure the effectiveness of its use [are] still under development. That being said, it is one thing to initiate a risk assessment utilizing the CSF, but it's quite another to initiate action to remediate the issues identified in the risk assessment," Kronick told SearchSecurity. "While the executive order mandates use of the CSF, it does not require CSF training agency users of the tool, and there has been a lack of consensus on how best to use the CSF within the agency, how to remediate findings, and consequences for not addressing CSF gaps and issues."
A number of experts also noted that none of the reports required by the cyber executive order or the modernization plans mean anything without the budget resources from Congress.
John Chirhart, federal technical director at Tenable Network Security, based in Columbia, Md., said holding department heads accountable "sounds amazing in theory, but extremely difficult in practice."
"The inability of Congress to pass a timely budget means many agencies cannot spend money right now and are unable to make the investments required to improve their overall security posture. Even when funds are available, the technology procurement process can take years to navigate -- and you still may not be able to get what you want or need to solve the problem," Chirhart told SearchSecurity. "If you need a fire hose to put out a fire, but the Federal Acquisition Regulations make you wait 11 months to get a garden hose, the house will burn down before you even get to the store."
Philip Lieberman, president of Lieberman Software Corp., based in Los Angeles, agreed that "if there is no budget from Congress for the order, it will have little real effect."
"All plans have to be funded and accompanied with laws and regulations that are specific. No question cybersecurity is critical, but the devil is in the details and specifics," Lieberman told SearchSecurity, adding that "NIST does not provide specific guidance on how to solve problems -- only on pointing out the problems to be solved."
Still no federal CISO
Another issue experts had with the president's plan was it didn't mention anything about the role of the federal CISO, a position which has gone unfilled since former federal CISO Gregory Touhill stepped down the day before Trump's inauguration.
Magee praised the cyber executive order for acknowledging "the strategic importance of cybersecurity risk management and [putting] agency heads on notice that they will be held accountable," but had a major caveat.
"It looks like the desire is to consolidate oversight authority within the executive branch. In the vein of having one throat to choke, it would make sense to have a federal CISO in place to set investment priorities and to oversee plan execution," Magee said. "However, without a federal CISO to guide and implement the necessary changes that will result from the various reports required of departments and agencies by the executive order, we will likely continue to see a siloed and fractured approach to addressing the cybersecurity needs of the nation continue."
Learn about the recent cybersecurity plan and attack rating system.
Find out the effect a federal CISO has on government cybersecurity.
Get info on what FITARA does for the U.S. government cybersecurity.