On May 11, President Trump signed the Cybersecurity of Federal Networks Executive Order, which requires all federal agencies to begin running risk management, reporting, and recovery programs under the Cyber Security Framework (CSF) of the National Institute of Standards and Technology (NIST).
The federal order is similar regulations circling throughout the corporate sector, but there’s an urgency here: Agencies must meet these mandates under a strict 90-day deadline, and the countdown began the day the order was signed almost two months ago. With the clock ticking, agencies need to get compliant—and do so fast.
So where do you begin? Here’s a rundown of what the executive order means.
Comprehensive but complicated
The order requires that agencies follow the NIST framework, meaning agency heads will have to reassess and optimize risk programs at all levels and corners of their organizations. While NIST is a comprehensive approach to cyber-risk management, harmonizing with these new standards will undoubtedly prove a slow process, since this is not a task that’s been done regularly, if at all.
Even agencies that already follow the NIST framework will need to review their cybersecurity programs, which are likely fragmented, siloed, and out of date and quite possibly dependent on spreadsheets and patchwork infrastructures. An undertaking this massive means significant amounts of automation will be required to comply, especially considering the fast-approaching deadline.
Investing in tools that will streamline cyber-risk governance and mandatory reporting processes will be an advantage for agencies committed to meeting the 90-day deadline. There are also tools that break down the complexities of cyber-risk governance to ensure that it can be understood and applied by everyone at an agency.
Cyber-risk governance is the goal
There are numerous cybersecurity frameworks out there, but the fact that Trump’s executive order requires compliance with NIST means that cyber-risk governance, rather than IT compliance, is the goal. The order mandates that the security of federal agencies must be controlled on an enterprise level. So, instead of building different security protocols for specific systems, all people, processes, and policies across the agency must be analyzed and reported on as one entity.
This is a sweeping change in the way the federal government looks at cybersecurity, requiring a dramatic culture shift.
The business of security
Cybersecurity is no longer solely an IT issue; it is a business issue as well, both in and beyond the government sector. It has become evident with the growing magnitude of cyber breaches in the US that cyber defense requires input and attention from agency heads and boards of directors, but mapping those deeply technical risk factors to overall business risk has been an ongoing struggle. Because of this, cybersecurity has since fallen squarely on the shoulders of CISOs and IT teams, even though successful risk mitigation is contingent on involvement and assistance from agency heads, who will now also be the ones held responsible for any damaging losses incurred from cyberattacks.
The current risk-mitigation model for most agencies is sprawling and decentralized. IT teams will independently monitor and assess the agency’s cyber risk under whichever standard they’ve deemed appropriate, check off hundreds of protocols on a spreadsheet, record responses, and score risks from each department, then prepare for agency heads what will undoubtedly be a convoluted report on cyber maturity and risk-deferral options.
These agency leaders often lack the ability to translate the deeply technical insights in such reports into business terms that would support proper enforcement of the recommendations made by the IT team. It’s a vicious cycle that is deteriorating our government’s cyber defenses and leaving agencies vulnerable to devastating breaches, both on the perimeter and internally. To achieve cyber resilience, agencies need to implement a cyber-conscious culture focused on preparing people at all levels of the agency to identify, assess, and mitigate risk from the top down.
The go-to standard emerges
But a shift in culture at a few agencies won’t be enough to incite the kind of radical changes we need to see in cybersecurity in the federal realm. It is a mindset that needs to be aligned across the entire portfolio in order to protect the government network as an autonomous unit. The government has been working for years to develop a standardized approach to cyber-risk governance, but the problem is that there is no “one size fits all” solution. The NIST CSF, however, has been widely recognized as a go-to standard, and this executive order will accelerate the solidification of its status as a common platform for measurement and comparison. Having a baseline for cyber-risk governance across the government network will be a huge stride toward achieving national cyber resiliency.
Too little, too late?
Broad adoption of the NIST CSF is encouraged by the Department of Homeland Security’s SAFETY Act office, which offers liability protection for firms that deploy technology to assess and report NIST capabilities. With the growing threat of cyberterrorism in the US, agencies also need to ensure that they are protected from the harsh legal and financial implications associated with cybercrime.
The sad truth is that cyberattacks happen, and hackers are finding more sophisticated ways to break through U.S. cyber defenses every day. But having a standardized framework in place will allow agencies to deploy and adjust strategies as a unit to keep up with (and hopefully get ahead of) the evolving threats.