Cybersecurity Executive Order Could Drive a Federal IT Overhaul

The White House issued Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure last week. The much-anticipated Executive Order (EO) directs broad efforts by the Director of the Office of Management and Budget (OMB), the Director of National Intelligence (DNI), and the Secretaries of Homeland Security (DHS), Defense (DoD), Commerce (DOC) and others to improve executive branch cybersecurity as well foster greater protections among U.S. critical infrastructure providers and increase collaboration among international partners. The EO has major implications for federal IT – in cybersecurity and beyond.

Key Elements that Impact Federal Departments and Agencies

Risk Management

The EO says the president will hold agency heads responsible for implementing cybersecurity risk management (RM) measures in line with the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) and for ensuring that their cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes.

Each agency head must submit a risk management report to DHS and OMB within 90 days that includes:

• The risk mitigation and acceptance choices made by each agency head – including the strategic, operational, and budgetary considerations that informed those choices – and any accepted risk, including those from unmitigated vulnerabilities.
• A description of the agency's action plan to implement their framework.
• The DHS Secretary and OMB Director will assess each agency's risk mitigation plan to determine the effectiveness of their strategies.

Within 60 days of receipt of the agencies' RM plans the OMB Director will collaborate with the Secretaries of DHS, DOC and the GSA Administrator to submit to the President a report that gives their assessment of the acceptability of agencies' plans and address any determined insufficiencies in those plans. This OMB plan will also address immediate unmet budgetary needs necessary to manage risk to the executive branch and clarify or issue policies, standards, and guidelines in support of the EO.

Shared IT Services and IT Modernization

Effective immediately, agencies are directed to show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.

The Director of the newly formed American Technology Council is required to coordinate with the OMB Director, GSA Administrator and the Secretaries of DHS and DOC for a report on IT Modernization, describing the legal, policy, and budgetary considerations – as well as the technical feasibility and cost effectiveness – of transitioning agencies to one or more consolidated network architectures and shared IT services – including email, cloud, and cybersecurity services. The report will also assess the effects of transitioning agencies to shared cybersecurity services. The report is due within 90 days of the EO.

For National Security Systems, the Secretary of Defense and the Director of National Intelligence (DNI) are responsible for implementing the EO and submitting a report with 150 days.

Implications

The NIST Risk Management framework and related cybersecurity guidance has been evolving for years and agencies have been working to adopt it, but progress has been inconsistent at best. The new EO does not mince words that the White House expects agency heads to implement the Framework and show evidence for how it’s progressing at their agencies.

The White House is also seeking to drive greater efficiencies through IT shared services, including cybersecurity shared services. We’ve seen pockets of shared services in various places across the federal landscape and the EO throws OMB’s weight behind that movement.

But what may be a major “missing link” in helping agencies achieve a quantum leap forward in their cybersecurity is the need for modernizing federal IT architectures and systems – including shared services, and this is where the recently established American Technology Council is likely to be instrumental. In the White House Press Briefing announcing the cyber- EO, Homeland Security Advisor Tom Bossert said, “… we’ve heard numbers that suggest the federal government spends upwards of $40,000 per employee on their IT service costs.  And that is so out of line with private industry … and so I think you’ll see that innovation come from that group of leaders and thoughtful people.“ (I.e. the ATC.)

The cybersecurity EO recognizes the issue and leaves the window open for significant modernization efforts in what could be viewed as “spend now to save later” by the White House.