President Donald Trump signed an executive order on Thursday aimed at strengthening the cybersecurity of the federal government, according to the White House.
A copy of the document distributed to a White House press list and later posted on the White House website details Trump’s first attempt to develop a protocol for defending the U.S. against malicious hackers and securing the nation’s critical infrastructure.
In January, after receiving the U.S. intelligence community’s assessment of Russian interference in the 2016 election, Trump had promised that “within 90 days of taking office” he would require a team of cybersecurity experts to offer up a plan. That deadline passed nearly a month ago.
The arrival of the order comes after perhaps one of the worst weeks for the Trump administration politically, two days after the firing of FBI Director James Comey.
The document states that henceforth risk management decisions throughout the government will be managed as an “executive branch enterprise,” adding that the federal government has “for too long accepted antiquated and difficult–to-defend IT.”
It also imposes on all agencies a 90-day process for the implementation of a cybersecurity framework developed by the National Institute of Standards and Technology (NIST), a non-regulatory body charged with developing cybersecurity standards for the federal government.
Within 90 days, each federal agency must complete a number of tasks, including the presentation of a plan to implement the NIST framework, a report on operational and budgetary considerations, as well as provide historical records of all “risk mitigation and acceptance choices made by each agency head.”
Those reports will be collected by the secretary of homeland security, retired Marine Corps Gen. John Kelly, as well as the Office of Management and Budget (OMB), and used to generate an overall assessment of the government’s cybersecurity strengths and weaknesses.
The federal government is also charged with assessing the “authorities and capabilities” that agencies can employ to support the defense of critical infrastructures.
The president’s order is “long on reporting, short on policy,” according to Mike Baukes, co-CEO of the California-based security firm UpGuard.
Baukes said that it also falls short of what Trump promised during the campaign: “The policy does not do much more than acknowledge we have antiquated systems and require agencies to do a self-assessment.”
He adds: “If the U.S. government is truly interested in pursuing cyber resilience it will need to recognize cyber risk as a complex threat which touches virtually all users of all digital platforms, not merely the nation’s most critical infrastructure.”
For those counting, the word “cyber” is contained in the executive order a total of 39 times.