By Danielle Dean
The president issued an executive order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, on May 11.
The policy builds upon the Department of Homeland Security‘s existing authorities and capabilities to lead the effort of securing federal networks. It recognizes the importance of continuing to implement strategies and identify agency gaps in implementing a strong cybersecurity policy across the federal network.
Of particular importance is the policy of the executive branch to manage cyberrisks as an enterprise, as opposed to a dissociated, agency-centric model. The order also clearly states that agency heads will be held accountable for risk management of cyberthreats to their agency.
Part of the order touches on aspects of workforce development and education across the U.S. It requires specified agencies to identify and assess the sufficiency of current education and training efforts including cybersecurity-related education curricula, training and apprenticeship programs, from primary through higher education. Agencies are directed to provide recommendations on how the federal government can support the “growth and sustainment of the nation's cybersecurity workforce in both the public and private sectors.” The NCSL Executive Task Force on Cybersecurity has been addressing the workforce and education issues at the state level during its last several convenings.
This year has seen a bevy of state and federal legislative activity as well. With a focus on IT modernization, workforce development and education, and updating criminal codes to encompass cybercrimes. Below is a short summary of the highlights under the executive order. Read the full summary.
- Agency heads will be held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the threat, and for complying with strategic, operational and budgetary planning processes.
- Each agency head shall use the NIST Framework for Improving Critical Infrastructure Cybersecurity.
- Agencies will be required to establish a regular process for periodic evaluation of risk management plans and budgetary needs.
- The executive branch will build and maintain a modern, secure, and more resilient executive branch IT architecture.
- Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud and cybersecurity services.
- The policy of the executive branch will support the cybersecurity risk management efforts of the owners and operators of the nation's critical infrastructure.
- Develop a process to identify and promote action with the goal of dramatically reducing threats perpetrated by automated and distributed attacks.
- Assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident; the readiness to respond, and any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident.
- Looking at cybersecurity for the nation, the executive branch promotes an open, interoperable, reliable and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud and theft.
During a call involving the U.S. Department of Homeland Security, Office of Partnership and Engagement, International Affairs to discuss the executive order, several questions arose regarding the role of state and local government, private sector entities and federal-state partnerships.
The action plan calls on the federal government to work with industry and state and local entities to protect critical infrastructure. In meeting this directive, the office of partnership and engagement highlighted existing partnerships to coordinate the implementation of the order, specifically, the use of the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) and the importance of engaging with state and local utilities and infrastructure organizations.
Grant funding is being considered, with DHS and FEMA discussing preparedness grants as an option. One takeaway to states and state administrative agencies interested in cyber grants is to identify gaps and needs in training, response and recovery needs in the event of a cyber incident. States can hold hearings to better understand their agencies’ cybersecurity strategies, and identify gaps in detection, mitigation, response and recovery efforts to facilitate the dialogue between states needs and federal coordination and preparedness grant funding. For example, identifying training for first responders in the immediate aftermath, response and recovery after a cyberattack.
One person was whether any changes would be made to the National Cyber Incident Response Plan (NCIRP).The response was "no," but there will be continuing efforts to use the NCIRP in adherence with the executive order.
Danielle Dean is a policy specialist with NCSL's Law, Criminal Justice, and Public Safety Committee.