On May 11, 2017, President Trump issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (available here). The Executive Order directs federal agencies to strengthen cybersecurity and risk assessments, adopt appropriate and equivalent standards, and to engage and seek input from various critical infrastructure entities. It requires numerous reports, which may ultimately be classified “in full or in part,” to be presented to the White House addressing whether the country is adequately prepared to defend itself against cyber threats. Effective immediately, heads of executive departments and agencies shall use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. See Section 1(c)(ii) of the Executive Order. Within 90 days, agency heads are required to provide risk management reports to the Secretary of Homeland Security and the Director of the Office of Management and Budget who shall jointly assess each report “to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate.” See Section 1(c)(iii) of the Executive Order.

Among other things, the Executive Order also requires the Secretaries of the Department of Energy and Department of Homeland Security, jointly working with the Director of National Intelligence, state, local, and tribal governmental entities, to assess and provide a report within 90 days on the potential scope and duration of a prolonged power outage caused by a “significant cyber incident,” as well as the readiness, gaps and shortcomings of the Federal government to manage the consequences of such an incident. See Section 2(e) of the Executive Order. The definition of a “significant cyber incident” is based on earlier cyber security directives, notably Presidential Policy Directive 41, entitled United States Cyber Incident Coordination (PPD-41) (July 26, 2016) (available here). PPD-41 defines a “significant cyber incident” as an event that is likely to harm national security, the economy, public health and safety, and public confidence and civil liberties.

The Executive Order also directs the Secretary of Homeland Security, in coordination with the Secretary of Defense, the Attorney General, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, and the heads of other appropriate sector-specific agencies, to seek input from various critical infrastructure entities as to how their cybersecurity risk management efforts may be supported and enhanced. See Section 2(b)(iii)(C) of the Executive Order. The results of this engagement will be included in a report to the President within 180 days of the Executive Order, and annually thereafter. The Executive Order also seeks to foster market transparency in cybersecurity risk management practices by critical infrastructure entities, and directs the Secretaries of the Department of Homeland Security and Commerce Department to prepare, within 90 days, a joint report on Federal practices and policies that promote such marketplace transparency, with a focus on publicly traded critical infrastructure entities. See Section 2(c) of the Executive Order.

For more information on this and other cyber security initiatives, please contact Kristen Connolly McCullough, Sean Neal or Lisa Gast.