President Donald Trump on Thursday signed a much-anticipated (and delayed) executive order on cybersecurity, and it prioritizes risk management for federal IT systems, modernizing federal technology and the use of shared IT services. The order refocuses cybersecurity policy around three main areas: protecting federal networks; protecting critical infrastructure; and securing the nation through deterrence, international cooperation and the workforce.
Under the order, agency heads will be held accountable by Trump "for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data."
Additionally, effective immediately, each agency head is ordered to use the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology, or any successor document, to manage their agency's cybersecurity risk. Each agency head is required to provide a risk management report to the secretary of Homeland Security and the director of the Office of Management and Budget within 90 days.
The order also states that it is the policy of the executive branch "to build and maintain a modern, secure, and more resilient executive branch IT architecture." Agency heads are now required to prefer, in their IT procurement, shared IT services, to the extent permitted by law, including email, cloud and cybersecurity services.
Meanwhile, within 90 days, the director of the American Technology Council, Chris Lidell, will coordinate and produce a report to the president from the secretary of Homeland Security, the director of OMB, and the administrator of the General Services Administration, in consultation with the Secretary of Commerce, as appropriate, regarding the modernization of federal IT.
The report will "describe the legal, policy, and budgetary considerations relevant to — as well as the technical feasibility and cost effectiveness, including timelines and milestones, of — transitioning all agencies, or a subset of agencies" to one or more consolidated network architectures, as well as shared IT services, including email, cloud and cybersecurity services.