There are many things to like in the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure that President Trump recently issued, but chief among them was the direction for federal agencies to follow the risk assessment standards established by the National Institute of Standards and Technology (NIST).
At its core, the NIST Cybersecurity Framework (CSF) is a leading guide to help organizations – both public and private – effectively manage their risk. The NIST CSF has been proven to be an effective cyber baseline for organizations in the private sector, and is being deployed widely across a number of industries to shape cybersecurity strategies, including healthcare, financial services, critical infrastructure and, yes, even Symantec. By requiring agencies to follow the NIST CSF and submit a report based on their findings, the Trump administration is building off the positive work already done to improve cybersecurity – and pushing it forward.
The Cybersecurity Executive Order is something the Trump administration has discussed since its first days in office. In addition to the focus on the NIST CSF, it includes a number of other major initiatives such as:
- Placing the responsibility for cybersecurity risk on the heads of federal agencies
- Calling for a report on cybersecurity concerns facing critical infrastructure to be drafted within six months
- Mandating government agencies, especially those in the civilian sector, consider opportunities to share cyber technology when feasible, a shared services approach to cyber
This all represents a positive first step from the Trump administration in terms of its cyber stance. Instead of “throwing the baby out with the bathwater” so to speak, the new leadership has embraced and built upon previous initiatives.
That said, this is still only one step in the process. Cybersecurity breaches continue to dominate the headlines. Just two days after Trump issued the Executive Order, the WannaCry ransomware attack hit computers all over the world. While the attack’s damage to federal systems seems to have been limited, it was a stark reminder of the impact cyber threats can have on a global basis.
The United States government remains the focal point for attacks. Some begin with simple vulnerabilities, such as taking advantage of poor cyber hygiene, while others are more sophisticated. All of them present a danger to federal agencies, national security and the public at large.
The Executive Order and its focus on the NIST CSF is a fantastic start to help agencies navigate the challenges ahead. Anything that supports improved cybersecurity will ultimately help in the long run (increasing budgets for cyber related programs would also help…immensely). It’s how agencies actually interpret the Executive Order and the NIST CSF and move forward with implementation that is the key next step. This cannot be about adding – or bolting on – point security products that do not interoperate with one another in a panic mode approach. Agencies need to develop a comprehensive cyber strategy that includes more integrated capabilities, including solutions that are built to work together, and align with each functional area in the NIST CSF.
We applaud the Cybersecurity Executive Order and its initial intentions. This presents agencies with an opportunity to re-imagine their current security programs and take significant steps to ensure those programs are hardened. The cyber battle is never over, but a focus on adhering to the NIST CSF within the Executive Order is a good “stake in the ground.”