Taking First Steps to Compliance with the New Cyber Executive Order
By Shawn Campbell
It’s going to be a busy summer for federal IT and cybersecurity employees. On May 11, 2017 President Trump issued the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The earliest milestones for compliance are already looming on the horizon, with initial reports and plans due back to the President in the next couple months.
Specifically, the Executive Order (EO) addresses three areas:
1. Cybersecurity of Federal Networks, particularly cybersecurity risk management and IT modernization;
2. Cybersecurity of Critical Infrastructure, focusing on federal support for owners and operators of critical infrastructure (an additional goal in this area is to promote market transparency of cybersecurity risk management practices); and
3. Cybersecurity for the Nation, emphasizing consumer cybersecurity and the growth of a cybersecurity-trained workforce.
Among the compliance measures expressed in the EO, the Office of Management and Budget and the Department of Homeland Security are expected to review agency-wide self-assessments on risk management. Sixty days later, these two organizations, with input from the Commerce Department and the General Services Administration, must submit a plan to the President to strengthen security – including reviewing budget needs and reassessing those budget needs on a regular basis.
By this fall, the Department of Commerce and the Department of Homeland Security are expected to provide recommendations on “how to support the growth and sustainment of the Nation's cybersecurity workforce in both the public and private sectors.”
Of course, providing advice on how to comply fully with such a far-reaching order would take more than just one column like this. Instead, let’s spend some time understanding what it will take to reach a basic level of compliance with the first goal of the EO – namely the Cybersecurity of Federal Networks.
As a starting point, agencies will need to assess their enterprise IT based on the NIST Framework for Improving Critical Infrastructure Cybersecurity (commonly referred to as the “Cybersecurity Framework”).
Part of those assessments requires identifying “target profiles” based on NIST 800-53 (a catalog of security controls for all U.S. federal information systems, except those related to national security). Agencies also will use other related security control requirements and guidance to determine any insufficiencies or gaps in their enterprise.
After identifying any such gaps and insufficiencies, especially those related to information systems, agencies will have to work with their Information Technology and Operations Technology partners – as well as suppliers – to address their self-assessments and to identify mitigating security solutions.
Ultimately, the actions taken in response to this EO will lead all agencies, or a subset of agencies, to transition to one or more consolidated network architectures, and to employ more shared IT services, including email, cloud, and cybersecurity services (where those are not already in place).
Agencies transitioning to consolidated network architectures and shared IT services will need several technologies to ensure success, to include:
1. Cryptographic key management. These solutions enable agencies to securely partition shared infrastructures and provide access controls through encryption
2. High assurance authentication. Authentication solutions provide common assured (certificate-based) identities to access converged network and IT.
3. Cross-domain security. Cross domain solutions facilitate information sharing across shared services and infrastructure.
The goal of this EO is laudable: To build and maintain a modern, secure, and more resilient IT architecture, Internet, and communications ecosystem. That will protect both data and IT hardware and software from unauthorized access and other cyber threats, and greatly reduce threats from bad actors using automated and distributed attacks.
But it’s no small job. Agencies are still assessing their compliance annually with the Federal Information Technology Acquisition Reform Act (FITARA), which to this point has shown halting progress among agencies in identifying and consolidating IT assets across departments. It’s easy to see how a lack of understanding in these areas could affect assessment of cybersecurity vulnerabilities in general.
Let’s hope that the agencies that have charted progress in FITARA will be able to channel that success into the assessments required by the EO. As we said, it’s going to be a busy summer.
BIO Shawn Campbell is Director of Product Management, SafeNet Assured Technologies, a provider of cybersecurity solutions to the government. He can be reached at [email protected]. Additional information can be found at www.safenetat.com