President Donald Trump decided not to sign a new cybersecurity executive order on Jan. 31 after meeting with public and private sector experts.
But a briefing by a senior administration official brought to light more details about how the new order — once it’s signed — will impact federal agencies.
The official said department secretaries now will be held more accountable than ever for managing their agency’s cyber risks. The draft order would require agency senior leaders to implement the cybersecurity framework developed by the National Institute of Standards and Technology to measure and mitigate risk.
Then, the Office of Management and Budget would assess and manage cyber risk governmentwide.
“I will hold my cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organizations, which we probably don’t have as much, certainly not as much as we need,” Trump said before a Jan. 31 listening session on cybersecurity at the White House. “We must protect federal networks and data. We operate these networks on behalf of the American people and they are very important. We will empower these agencies to modernize their IT systems for better security and other uses.”
The president’s mention of empowering agencies to modernize their IT systems follows the Obama administration’s efforts to use the cyber lever to get rid of legacy systems.
The official says the executive order calls on agency leaders to develop a plan for the deliberate modernization of federal IT as part of the overall cyber effort.
Reed Cordish, the assistant to the president for intergovernmental affairs and technology initiatives, will lead the modernization initiative. The official said it’s both a cybersecurity and a cost efficiency focus.
Cordish told the General Services Administration’s Technology Transformation Service last week that fixing the federal procurement system, building communities around digital services across the government and addressing longstanding technology and business architecture problems by dealing with legacy systems were among his priorities.
The Obama administration’s OMB started to move agencies toward IT modernization, issuing guidance in October, working with lawmakers on legislation, the Modernizing Government Technology Act, and collecting data to understand how big of a problem the legacy systems are for agencies — $7.5 billion worth of IT will be out of date over the next three years.
The senior official said the Trump administration isn’t prepared to call on Congress for any legislation as of now, but they do expect lawmakers to play an important role, especially around IT modernization.
“I would anticipate others outside the building noting that there will be a cost to the modernization of IT,” the official said. “In addition to it being a key component to cybersecurity and to any risk management plan to put new, modern and defensible systems in place, I believe we can make a strong case for it also being a long-term cost-efficiency.”
The senior official told White House reporters during a briefing that they looked at all the commission reports and other external analyses, including the 2016 Commission on Enhancing Cybersecurity and the 2009 and 2016 studies by the Center for Strategic and International Studies (CSIS).
“We have taken some of those recommendations. You will see that, for instance, requiring the use of the NIST framework is something that was recommended in that commission,” the official said. “It’s a bipartisan issue; it’s something we believe is a good recommendation and you’ll see President Trump directing it in his order.”
It’s unclear how much the draft order has changed since the Washington Post obtained a copy last week. That order called for a series of studies and recommendations to come to the White House over the next 60 to 100 days. Cyber experts say the studies and recommendations aren’t needed and the problems already are well understood.
The Trump administration’s decision to give OMB more oversight and responsibility around risk management builds on the updates to Circulars A-130 and A-123 earlier this year. In that revamped A-123 document, OMB called on agencies to develop enterprise risk management plans and expand the use of internal controls beyond financial management.
In the new A-130, OMB also is focusing on risk management, particularly around cybersecurity and technology systems.
The senior administration official acknowledged that agencies already are on the hook for managing risk.
The official said the difference with the order is making agency senior leaders “aware that they have a deep responsibility here as opposed to delegating it down to their CIOs or more subordinate junior staff. We want them to stay on top of it and we believe that President Trump’s cabinet will do so.”
The official said OMB’s expanded role is to better understand all risk, not just the ones the agency leaders choose to disclose.
“We want to be informed of that so we can assess the risk to the entire enterprise at the federal executive branch,” the official said.
The White House didn’t say when the cyber executive order would be released, but Trump promised to make the security of public and private sector networks a priority.
Thus the initial meeting with cyber experts, including current officials such as Adm. Mike Rogers, the director of the National Security Agency and commander of the U.S. Cyber Command, former New York Mayor Rudy Giuliani, retired national security adviser retired Gen. Mike Flynn, retired Gen. Keith Alexander, former director of the NSA, and Homeland Security Secretary retired Gen. John Kelly, is expected to be a regular occurrence.