Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
President Trump issued Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure on May 11, 2017, to improve the Nation's cyber posture and capabilities in the face of intensifying cybersecurity threats. EO 13800 focuses Federal efforts on modernizing Federal information technology infrastructure, working with state and local government and private sector partners to more fully secure critical infrastructure, and collaborating with foreign allies.
The work undertaken to implement EO 13800 reflects the strong partnership across the Federal Government and with industry partners to safeguard the security of critical infrastructure and reduce national cybersecurity risk.
Report to the President on Federal IT Modernization
DHS, in partnership with the American Technology Council (ATC), the Office of Management and Budget (OMB), and key Government stakeholders, prepared the Report to the President on Federal IT Modernization. Priorities for action established in the report include: (1) safeguarding high-risk High Value Assets (HVAs), (2) promoting the modernization and consolidation of network infrastructure including DHS's Trusted Internet Connection (TIC) and National Cybersecurity Protection System (NCPS) programs, and (3) expanding the use of shared services, including DHS's Continuous Diagnostics and Mitigation (CDM) program, to enable broader use and adoption of cloud and mobile services.
DHS is actively engaged in implementing actions to improve the overall federal enterprise cybersecurity posture, modernize the Federal IT enterprise, and create a more robust partnership between Government and industry.
Support to Critical Infrastructure at Greatest Risk
DHS, in coordination with relevant Sector-Specific Agencies (SSAs), annually identifies and maintains a list of critical infrastructure entities that meet the criteria specified in Section 9 of Executive Order 13636, Improving Critical Infrastructure Cybersecurity, utilizing a risk-based approach. These "Section 9 entities" own or operate critical infrastructure "where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."
DHS, in coordination with the Secretary of Defense, the Attorney General, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, and the heads of appropriate Sector-Specific Agencies, identified authorities and capabilities that the Federal Government could employ to support the cybersecurity efforts of Section 9 entities. Additionally, DHS and its partners engaged these entities to evaluate how the authorities and capabilities might be employed to support cybersecurity risk management efforts.
The findings and recommendations from this work were reported to the President for better supporting the Section 9 entities in their cybersecurity risk management efforts, to include:
- Establishing a DHS program office to strengthen support to Section 9 entities and improve coordination of interagency support;
- Enhancing access to classified information;
- Revisiting the methodology to explore a more functions-based approach to identifying Section 9 entities;
- Improving incident communication and coordination;
- Improving cross-sector information sharing with Section 9 entities;
- Exploring incentives for private sector entities to exercise due care in protecting their information and information systems which could include reporting cybersecurity incidents to the Government;
- Establishing a public-private initiative to counter supply chain vulnerabilities and reduce cybersecurity vendor risk; and
- Exploring new technology to reduce cyber risk.
DHS will lead an interagency working group to focus on implementing the recommendations and engage with each Section 9 entity to ensure its understanding of the programs and resources available.
Supporting Transparency in the Marketplace
DHS, in coordination with the Department of Commerce, was directed to examine the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices, with a focus on publicly traded critical infrastructure entities. The resulting report was developed in a short 90-day timeframe through a collaborative interagency process; limited private industry engagement; and a literature review of secondary sources addressing the sufficiency of existing Federal policies and practices in promoting transparency of cybersecurity risks and risk management practices and the effectiveness of transparency systems generally in advancing policy goals. There were 96 different sources identified as part of the literature review, and several Federal policies and practices identified. The associated findings provide insight into the effectiveness of transparency systems; the sufficiency of existing Federal policies and practices; and informs future policy discussions regarding market transparency and improving cybersecurity outcomes.
Resilience Against Botnets and Other Automated, Distributed Threats
DHS worked closely with the Department of Commerce to lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the Internet and Communications Ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetuated by automated and distributed attacks.
The report, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, summarizes the opportunities and challenges in reducing the botnet threat, and offers supporting actions to be taken by both the Government and private sector in order to reduce the threat of automated, distributed attacks. The report is centered around six principal themes:
- Automated, distributed attacks are a global problem.
- Effective tools exist, but are not widely used.
- Products should be secured during all stages of the lifecycle.
- Awareness and education is needed.
- Market incentives should be more effectively aligned.
- Automated, distributed attacks are an ecosystem-wide challenge.
Created with broad input from stakeholders and experts, the report lists five complementary goals that would improve the resilience of the Internet ecosystem. The recommended actions include ongoing activities that should be continued or expanded, as well as new initiatives, such as an effort to increase software component transparency and a public campaign to support awareness of IoT security.
Assessment of Electricity Disruption Incident Response Capabilities
DHS also worked closely with the Department of Energy to conduct an assessment of the potential scope and duration of a prolonged power outage associated with a significant cyber incident, as well as an evaluation of the readiness and gaps in the United States' ability to manage and mitigate consequence s of a cyber incident against the electric subsector. This assessment concluded that the U.S. is, in general, well prepared to manage most electricity disruptions, though there are particular areas where catastrophic considerations and emerging threats reveal capability gaps against cyberattacks.
To address these gaps, the assessment outlines areas spanning from improving public communications across officials at all levels, expanding cybersecurity technical expertise and information sharing, and integrating and augmenting planning and analytic capabilities for long term disruption and potential consequences and impacts resulting from such a disruption. In addition, early integration of cybersecurity into system design; funding for cybersecurity investments, particularly for smaller utilities; and strong workforce development would holistically support national preparedness of the Nation's electric infrastructure.
American Cybersecurity Workforce Development
The Department of Commerce and DHS assessed the scope and sufficiency of past efforts to educate and train the future U.S. cybersecurity workforce and to provide a report that identifies findings and recommendations on how to support the growth and sustainment of these future cybersecurity employees in the public and private sectors. To accomplish this work, cybersecurity education and workforce development subject matter experts from the departments of Defense, Labor, and Education, as well as the Office of Personnel Management, the National Science Foundation, and other relevant agencies were convened to discuss and present the status of existing efforts to grow and expand the Nation's cybersecurity workforce pipeline. To ensure broad input, a public, national-level workshop was convened and a public request for information (RFI) was issued.
The interagency working group, led by the Department of Commerce's National Institute for Standards and Technology (NIST) and DHS, compiled the results into a report to the President, identifying four key findings: (1) the U.S. cybersecurity workforce needs immediate and sustained improvements; (2) it is necessary to expand the pool of cybersecurity candidates through retraining and by increasing the participation of women, minorities, and veterans; (3) there is a shortage of cybersecurity teachers at the primary and secondary levels, faculty in higher education, and training instructors; and (4) comprehensive and reliable data about cybersecurity workforce position needs and education and training programs are lacking.
The report details five key recommendations to address the findings:
- The Federal Government should lead in launching a high-profile, national Call to Action to draw attention to and mobilize public and private sector resources to address cybersecurity workforce needs;
- The Administration should focus on, and recommend, long-term authorization and sufficient appropriations for high-quality, effective cybersecurity education and workforce development programs;
- The private and public sectors should transform, elevate, and sustain the learning environment to grow a dynamic and diverse cybersecurity workforce through retraining, hands-on, experiential and work-based learning approaches, including apprenticeships, research experiences, co-op programs, internships, virtual training and assessment environments, and by providing greater financial assistance for cybersecurity education and training;
- The private and public sectors should align education and training with employers' cybersecurity workforce needs by applying the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, developing cybersecurity career model paths, and establishing a clearinghouse of information on cybersecurity workforce development education, training, and workforce development programs and initiatives; and
- The private and public sectors should establish and leverage measures that demonstrate the effectiveness and impact of cybersecurity workforce investments through robust metrics and evaluation mechanisms to track and determine the quantity and quality of individuals educated, trained, and ready to fulfill cybersecurity tasks in the workplace.
- Read the Supporting the Growth and Sustainment of the Nation's Cybersecurity Workforce: Building the Foundation for a More Secure American Future Capabilities report.