On May 11, 2017, the Presidential Executive Order 13636 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (“Cybersecurity Executive Order”) was released. The Cybersecurity Executive Order sets out the White House’s goals for cybersecurity compliance for federal agencies. The Executive Order’s release comes as no surprise. Even if you are not a government agency, the Cybersecurity Executive Order may have ramifications for your business in the long term.
I’m not a government agency. Why do I care?
While the Cybersecurity Executive Order does not constitute a legal requirement for the average business, it does set a precedent and standard of behavior. Any kind of regulatory act, be it executive order or legislation, has an impact on the way businesses and people are expected to act.
Although you are not a government agency and are not working with a government agency, you may want to follow the Cybersecurity Executive Order to determine what the government thinks matters when protecting its own assets. If a government agency were ever to be created to review cybersecurity, it would likely follow the standards determined in Order 13636.
What is the Cybersecurity Executive Order?
The Cybersecurity Executive Order has three sections. The first discusses the importance of agency IT and data protections specifically. By holding agency heads and executive departments accountable, the executive order places cybersecurity within executive control. Within this, the Cybersecurity Executive Order implements risk assessments and requires the use of The Framework for Improving Critical Infrastructure Cybersecurity (the Framework).
Section 2 of the Cybersecurity Executive Order focuses on critical infrastructure. Within this section, the Order focuses on electricity disruption, the defense industrial base, and of particular note, botnets.
The third section focuses on establishing reviews of the country’s infrastructure and the strategic options for protecting data. Moreover, this section also includes reviews of the cybersecurity workforce and the future of training to ensure cybersecurity going forward.
Are there any other executive orders I should know about?
The Cybersecurity Executive Order came 10 days after another executive order established the American Technology Council (ATC). The ATC’s purpose is to
(i) coordinate the vision, strategy, and direction for the Federal Government’s use of information technology and the delivery of services through information technology;
(ii) coordinate advice to the President related to policy decisions and processes regarding the Federal Government’s use of information technology and the delivery of services through information technology; and
(iii) work to ensure that these decisions and processes are consistent with the policy set forth in section 1 of this order and that the policy is being effectively implemented.
When reviewing these two orders together, analysts see a trend. The current administration wants to start reviewing and setting policy decisions regarding the government’s technology. Both executive orders focus on federal data. This means that unless you are an agency or a business that handles federal agency data, your organization is completely out of this loop.
So, the Cybersecurity Executive Order requires use of NIST? Do I have to comply?
The quick answer is that unless you are a government agency or a critical infrastructure business, this does not impact you immediately.
The longer answer is that this executive order is just the first step in the cybersecurity process. As Dan Lohrman noted on May 14,
These reports and other deliverables will be essential building blocks with much more to come. This is a foundational EO on cyber that continues the momentum that was built in the Obama administration but also adds much more federal agency director accountability. This is a good thing since every cyberexpert knows that true management buy-in and support is a critical success factor.
Basically, the government has the same problems you have. Management does not want to think about cybersecurity issues, so it ignores them or pushes the responsibility onto someone else. The Cybersecurity Executive Order creates a trend that may have a broader impact on the allocation of responsibilities.
Great! I don’t deal with federal data, so the Cybersecurity Executive Order doesn’t apply to me, right?
As an immediate function? You’re right.
As a long-term issue, however, you want to pay attention to what’s happening. Between these Executive Orders and the GDPR, government entities are taking a deeper interest in the state of cybersecurity. With this in mind, it might be smart to keep an ear to the ground and eyes on the internet.
The GDPR has far reaching tentacles. By attempting to enforce standardized information security compliance across all businesses that interact with European Union citizens, the legislation attempts to create a multinational social norm of security behavior.
Meanwhile, as the United States government begins evaluating its own information security standards, a move towards standardization may be afoot. With the right experts and government stance, these standards could be used later on as the basis for legislation regulating the information technology industry.
Inconceivable!
With the current industry as a patchwork quilt of standards and cyberattacks on the rise, people are worried. When people are concerned about safety, they turn to their government to fix things. With overlapping industry standards and niche regulations, it is possible that the idea of an overarching cybersecurity legislation similar to legislation for banking will take hold.
Remember that the GDPR looks to industries to create best practices and incorporates approval of these practices into the legislation. By doing this, the GDPR sets out an overall standard but also makes allowances for the needs of individual industries. This could work similarly to the way banks and credit unions function differently in their reporting and dividend provisions. Although both are financial institutions, their underlying individual industries allow for differences. This could be used as a model in other countries, like the United States, in the future.
What can I do?
This means that it is important to follow along closely and have an agile response. Many of the different standards and regulations already overlap. As government eyes start to gaze on information security, they will turn to places where compliance is already delineated.
If you’re still relying on a series of spreadsheets, those may not only end up irrelevant but may also make more work in the long run. The goal here is to focus on the long game, not the short term. An automated system is a great preparation for future changes.
Automation provides visibility across standards. This allows you to see the overlaps in your protocols. To the extent that future regulations may rely on current protocols and then spin off to address industry-specific needs, an automated GRC tool will speed up the transition. By creating consistency across your organization, you will be more than a step ahead for any future regulatory changes—you will be several steps ahead.
You need to be tenacious and meticulous. Be prepared. Whether or not the United States chooses to adopt its own legislation, the future of compliance is moving towards overarching requirements while allowing for industry idiosyncrasies. The easiest way to get and stay compliant in the long term is to find a system that allows for the transparency of records while also giving you an opportunity to make system-wide changes easily.
Read how ZenGRC can help you prepare for any regulatory changes that may come in our eBook “Insider’s Guide to Compliance: How to Get Compliance and Stay Agile.”