Download pdf - SM ASSURED ENTERPRISES: STRENGTHENING THE … · ASSURED ENTERPRISES: STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE x ® SM re® T™ +™ By the

Copyright 2017 Assured Enterprises Page 1

ExecutiveOrderChecklist

ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE

TripleHelixSM

AssuredScanDKV®

CyberScore®

DECENT™

AsuredSeven+™

BytheauthorityvestedinmeasPresidentbytheConstitutionandthelawsoftheUnitedStatesofAmerica,andtoprotectAmericaninnovationandvalues,itisherebyorderedasfollows:Section1.CybersecurityofFederalNetworks.

(a)Policy.Theexecutivebranchoperatesitsinformationtechnology(IT)onbehalfoftheAmericanpeople.ItsITanddatashouldbesecuredresponsiblyusingallUnitedStatesGovernmentcapabilities.ThePresidentwillholdheadsofexecutivedepartmentsandagencies(agencyheads)accountableformanagingcybersecurityrisktotheirenterprises.Inaddition,becauseriskmanagementdecisionsmadebyagencyheadscanaffecttherisktotheexecutivebranchasawhole,andtonationalsecurity,itisalsothepolicyoftheUnitedStatestomanagecybersecurityriskasanexecutivebranchenterprise.

✔ ✔ ✔ ✔ ✔

(b)Findings.

(i)CybersecurityriskmanagementcomprisesthefullrangeofactivitiesundertakentoprotectITanddatafromunauthorizedaccessandothercyberthreats,tomaintainawarenessofcyberthreats,todetectanomaliesandincidentsadverselyaffectingITanddata,andtomitigatetheimpactof,respondto,andrecoverfromincidents.Informationsharingfacilitatesandsupportsalloftheseactivities. ✔ ✔ ✔

(ii)Theexecutivebranchhasfortoolongacceptedantiquatedanddifficult–to-defendIT.

(iii)EffectiveriskmanagementinvolvesmorethanjustprotectingITanddatacurrentlyinplace.Italsorequiresplanningsothatmaintenance,improvements,andmodernizationoccurinacoordinatedwayandwithappropriateregularity. ✔ ✔

(iv)Knownbutunmitigatedvulnerabilitiesareamongthehighestcybersecurityrisksfacedbyexecutivedepartmentsandagencies(agencies).Knownvulnerabilitiesincludeusingoperatingsystemsorhardwarebeyondthevendor'ssupportlifecycle,decliningtoimplementavendor'ssecuritypatch,orfailingtoexecutesecurity-specificconfigurationguidance.

✔

(v)EffectiveriskmanagementrequiresagencyheadstoleadintegratedteamsofseniorexecutiveswithexpertiseinIT,security,budgeting,acquisition,law,privacy,andhumanresources. ✔ ✔



TripleHelixSM

AssuredScanDKV®

CyberScore®

DECENT™

AsuredSeven+™

(c)RiskManagement.

(i)AgencyheadswillbeheldaccountablebythePresidentforimplementingriskmanagementmeasurescommensuratewiththeriskandmagnitudeoftheharmthatwouldresultfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofITanddata.TheywillalsobeheldaccountablebythePresidentforensuringthatcybersecurityriskmanagementprocessesarealignedwithstrategic,operational,andbudgetaryplanningprocesses,inaccordancewithchapter35,subchapterIIoftitle44,UnitedStatesCode.

✔ ✔

(ii)Effectiveimmediately,eachagencyheadshalluseTheFrameworkforImprovingCriticalInfrastructureCybersecurity(theFramework)developedbytheNationalInstituteofStandardsandTechnology,oranysuccessordocument,tomanagetheagency'scybersecurityrisk.EachagencyheadshallprovideariskmanagementreporttotheSecretaryofHomelandSecurityandtheDirectoroftheOfficeofManagementandBudget(OMB)within90daysofthedateofthisorder.Theriskmanagementreportshall:

✔ ✔

(A)documenttheriskmitigationandacceptancechoicesmadebyeachagencyheadasofthedateofthisorder,including: ✔(1)thestrategic,operational,andbudgetaryconsiderationsthatinformedthosechoices;and ✔(2)anyacceptedrisk,includingfromunmitigatedvulnerabilities;and ✔ ✔

(B)describetheagency'sactionplantoimplementtheFramework.✔

(iii)TheSecretaryofHomelandSecurityandtheDirectorofOMB,consistentwithchapter35,subchapterIIoftitle44,UnitedStatesCode,shalljointlyassesseachagency'sriskmanagementreporttodeterminewhethertheriskmitigationandacceptancechoicessetforthinthereportsareappropriateandsufficienttomanagethecybersecurityrisktotheexecutivebranchenterpriseintheaggregate(thedetermination).

✔ ✔

(iv)TheDirectorofOMB,incoordinationwiththeSecretaryofHomelandSecurity,withappropriatesupportfromtheSecretaryofCommerceandtheAdministratorofGeneralServices,andwithin60daysofreceiptoftheagencyriskmanagementreportsoutlinedinsubsection(c)(ii)ofthissection,shallsubmittothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,thefollowing:

✔ ✔

(A)thedetermination;and

(B)aplanto:



TripleHelixSM

AssuredScanDKV®

CyberScore®

DECENT™

AsuredSeven+™

(1)adequatelyprotecttheexecutivebranchenterprise,shouldthedeterminationidentifyinsufficiencies; ✔(2)addressimmediateunmetbudgetaryneedsnecessarytomanagerisktotheexecutivebranchenterprise; ✔ ✔(3)establisharegularprocessforreassessingand,ifappropriate,reissuingthedetermination,andaddressingfuture,recurringunmetbudgetaryneedsnecessarytomanagerisktotheexecutivebranchenterprise; ✔(4)clarify,reconcile,andreissue,asnecessaryandtotheextentpermittedbylaw,allpolicies,standards,andguidelinesissuedbyanyagencyinfurtheranceofchapter35,subchapterIIoftitle44,UnitedStatesCode,and,asnecessaryandtotheextentpermittedbylaw,issuepolicies,standards,andguidelinesinfurtheranceofthisorder;and

✔

(5)alignthesepolicies,standards,andguidelineswiththeFramework. ✔(v)Theagencyriskmanagementreportsdescribedinsubsection(c)(ii)ofthissectionandthedeterminationandplandescribedinsubsections(c)(iii)and(iv)ofthissectionmaybeclassifiedinfullorinpart,asappropriate.(vi)Effectiveimmediately,itisthepolicyoftheexecutivebranchtobuildandmaintainamodern,secure,andmoreresilientexecutivebranchITarchitecture. ✔ ✔ ✔ ✔ ✔(A)AgencyheadsshallshowpreferenceintheirprocurementforsharedITservices,totheextentpermittedbylaw,includingemail,cloud,andcybersecurityservices.(B)TheDirectoroftheAmericanTechnologyCouncilshallcoordinateareporttothePresidentfromtheSecretaryofHomelandSecurity,theDirectorofOMB,andtheAdministratorofGeneralServices,inconsultationwiththeSecretaryofCommerce,asappropriate,regardingmodernizationofFederalIT.Thereportshall:(1)becompletedwithin90daysofthedateofthisorder;and

(2)describethelegal,policy,andbudgetaryconsiderationsrelevantto--aswellasthetechnicalfeasibilityandcosteffectiveness,includingtimelinesandmilestones,of--transitioningallagencies,orasubsetofagencies,to:(aa)oneormoreconsolidatednetworkarchitectures;and

(bb)sharedITservices,includingemail,cloud,andcybersecurityservices.



TripleHelixSM

AssuredScanDKV®

CyberScore®

DECENT™

AsuredSeven+™

(C)Thereportdescribedinsubsection(c)(vi)(B)ofthissectionshallassesstheeffectsoftransitioningallagencies,orasubsetofagencies,tosharedITserviceswithrespecttocybersecurity,includingbymakingrecommendationstoensureconsistencywithsection227oftheHomelandSecurityAct(6U.S.C.148)andcompliancewithpoliciesandpracticesissuedinaccordancewithsection3553oftitle44,UnitedStatesCode.AllagencyheadsshallsupplysuchinformationconcerningtheircurrentITarchitecturesandplansasisnecessarytocompletethisreportontime.

(vii)ForanyNationalSecuritySystem,asdefinedinsection3552(b)(6)oftitle44,UnitedStatesCode,theSecretaryofDefenseandtheDirectorofNationalIntelligence,ratherthantheSecretaryofHomelandSecurityandtheDirectorofOMB,shallimplementthisordertothemaximumextentfeasibleandappropriate.TheSecretaryofDefenseandtheDirectorofNationalIntelligenceshallprovideareporttotheAssistanttothePresidentforNationalSecurityAffairsandtheAssistanttothePresidentforHomelandSecurityandCounterterrorismdescribingtheirimplementationofsubsection(c)ofthissectionwithin150daysofthedateofthisorder.Thereportdescribedinthissubsectionshallincludeajustificationforanydeviationfromtherequirementsofsubsection(c),andmaybeclassifiedinfullorinpart,asappropriate.

Sec.2.CybersecurityofCriticalInfrastructure.

(a)Policy.ItisthepolicyoftheexecutivebranchtouseitsauthoritiesandcapabilitiestosupportthecybersecurityriskmanagementeffortsoftheownersandoperatorsoftheNation'scriticalinfrastructure(asdefinedinsection5195c(e)oftitle42,UnitedStatesCode)(criticalinfrastructureentities),asappropriate. ✔ ✔ ✔(b)SupporttoCriticalInfrastructureatGreatestRisk.TheSecretaryofHomelandSecurity,incoordinationwiththeSecretaryofDefense,theAttorneyGeneral,theDirectorofNationalIntelligence,theDirectoroftheFederalBureauofInvestigation,theheadsofappropriatesector-specificagencies,asdefinedinPresidentialPolicyDirective21ofFebruary12,2013(CriticalInfrastructureSecurityandResilience)(sector-specificagencies),andallotherappropriateagencyheads,asidentifiedbytheSecretaryofHomelandSecurity,shall:(i)identifyauthoritiesandcapabilitiesthatagenciescouldemploytosupportthecybersecurityeffortsofcriticalinfrastructureentitiesidentifiedpursuanttosection9ofExecutiveOrder13636ofFebruary12,2013(ImprovingCriticalInfrastructureCybersecurity),tobeatgreatestriskofattacksthatcouldreasonablyresultincatastrophicregionalornationaleffectsonpublichealthorsafety,economicsecurity,ornationalsecurity(section9entities);

✔ ✔ ✔ ✔ ✔

(ii)engagesection9entitiesandsolicitinputasappropriatetoevaluatewhetherandhowtheauthoritiesandcapabilitiesidentifiedpursuanttosubsection(b)(i)ofthissectionmightbeemployedtosupportcybersecurityriskmanagementeffortsandanyobstaclestodoingso; ✔ ✔(iii)provideareporttothePresident,whichmaybeclassifiedinfullorinpart,asappropriate,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,within180daysofthedateofthisorder,thatincludesthefollowing:(A)theauthoritiesandcapabilitiesidentifiedpursuanttosubsection(b)(i)ofthissection;

(B)theresultsoftheengagementanddeterminationrequiredpursuanttosubsection(b)(ii)ofthissection;and



TripleHelixSM

AssuredScanDKV®

CyberScore®

DECENT™

AsuredSeven+™

(C)findingsandrecommendationsforbettersupportingthecybersecurityriskmanagementeffortsofsection9entities;and ✔(iv)provideanupdatedreporttothePresidentonanannualbasisthereafter.

(c)SupportingTransparencyintheMarketplace.TheSecretaryofHomelandSecurity,incoordinationwiththeSecretaryofCommerce,shallprovideareporttothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,thatexaminesthesufficiencyofexistingFederalpoliciesandpracticestopromoteappropriatemarkettransparencyofcybersecurityriskmanagementpracticesbycriticalinfrastructureentities,withafocusonpubliclytradedcriticalinfrastructureentities,within90daysofthedateofthisorder.

✔ ✔

(d)ResilienceAgainstBotnetsandOtherAutomated,DistributedThreats.TheSecretaryofCommerceandtheSecretaryofHomelandSecurityshalljointlyleadanopenandtransparentprocesstoidentifyandpromoteactionbyappropriatestakeholderstoimprovetheresilienceoftheinternetandcommunicationsecosystemandtoencouragecollaborationwiththegoalofdramaticallyreducingthreatsperpetratedbyautomatedanddistributedattacks(e.g.,botnets).TheSecretaryofCommerceandtheSecretaryofHomelandSecurityshallconsultwiththeSecretaryofDefense,theAttorneyGeneral,theDirectoroftheFederalBureauofInvestigation,theheadsofsector-specificagencies,theChairsoftheFederalCommunicationsCommissionandFederalTradeCommission,otherinterestedagencyheads,andappropriatestakeholdersincarryingoutthissubsection.Within240daysofthedateofthisorder,theSecretaryofCommerceandtheSecretaryofHomelandSecurityshallmakepubliclyavailableapreliminaryreportonthiseffort.Within1yearofthedateofthisorder,theSecretariesshallsubmitafinalversionofthisreporttothePresident.

✔ ✔ ✔ ✔

(e)AssessmentofElectricityDisruptionIncidentResponseCapabilities.TheSecretaryofEnergyandtheSecretaryofHomelandSecurity,inconsultationwiththeDirectorofNationalIntelligence,withState,local,tribal,andterritorialgovernments,andwithothersasappropriate,shalljointlyassess:(i)thepotentialscopeanddurationofaprolongedpoweroutageassociatedwithasignificantcyberincident,asdefinedinPresidentialPolicyDirective41ofJuly26,2016(UnitedStatesCyberIncidentCoordination),againsttheUnitedStateselectricsubsector;(ii)thereadinessoftheUnitedStatestomanagetheconsequencesofsuchanincident;and

(iii)anygapsorshortcomingsinassetsorcapabilitiesrequiredtomitigatetheconsequencesofsuchanincident. ✔TheassessmentshallbeprovidedtothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,within90daysofthedateofthisorder,andmaybeclassifiedinfullorinpart,asappropriate.



TripleHelixSM

AssuredScanDKV®

CyberScore®

DECENT™

AsuredSeven+™

(f)DepartmentofDefenseWarfightingCapabilitiesandIndustrialBase.Within90daysofthedateofthisorder,theSecretaryofDefense,theSecretaryofHomelandSecurity,andtheDirectoroftheFederalBureauofInvestigation,incoordinationwiththeDirectorofNationalIntelligence,shallprovideareporttothePresident,throughtheAssistanttothePresidentforNationalSecurityAffairsandtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,oncybersecurityrisksfacingthedefenseindustrialbase,includingitssupplychain,andUnitedStatesmilitaryplatforms,systems,networks,andcapabilities,andrecommendationsformitigatingtheserisks.Thereportmaybeclassifiedinfullorinpart,asappropriate.

Sec.3.CybersecurityfortheNation.

(a)Policy.Toensurethattheinternetremainsvaluableforfuturegenerations,itisthepolicyoftheexecutivebranchtopromoteanopen,interoperable,reliable,andsecureinternetthatfostersefficiency,innovation,communication,andeconomicprosperity,whilerespectingprivacyandguardingagainstdisruption,fraud,andtheft.Further,theUnitedStatesseekstosupportthegrowthandsustainmentofaworkforcethatisskilledincybersecurityandrelatedfieldsasthefoundationforachievingourobjectivesincyberspace.

✔ ✔ ✔ ✔ ✔

(b)DeterrenceandProtection.Within90daysofthedateofthisorder,theSecretaryofState,theSecretaryoftheTreasury,theSecretaryofDefense,theAttorneyGeneral,theSecretaryofCommerce,theSecretaryofHomelandSecurity,andtheUnitedStatesTradeRepresentative,incoordinationwiththeDirectorofNationalIntelligence,shalljointlysubmitareporttothePresident,throughtheAssistanttothePresidentforNationalSecurityAffairsandtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,ontheNation'sstrategicoptionsfordeterringadversariesandbetterprotectingtheAmericanpeoplefromcyberthreats.(c)InternationalCooperation.Asahighlyconnectednation,theUnitedStatesisespeciallydependentonagloballysecureandresilientinternetandmustworkwithalliesandotherpartnerstowardmaintainingthepolicysetforthinthissection.Within45daysofthedateofthisorder,theSecretaryofState,theSecretaryoftheTreasury,theSecretaryofDefense,theSecretaryofCommerce,andtheSecretaryofHomelandSecurity,incoordinationwiththeAttorneyGeneralandtheDirectoroftheFederalBureauofInvestigation,shallsubmitreportstothePresidentontheirinternationalcybersecuritypriorities,includingthoseconcerninginvestigation,attribution,cyberthreatinformationsharing,response,capacitybuilding,andcooperation.Within90daysofthesubmissionofthereports,andincoordinationwiththeagencyheadslistedinthissubsection,andanyotheragencyheadsasappropriate,theSecretaryofStateshallprovideareporttothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,documentinganengagementstrategyforinternationalcooperationincybersecurity.(d)WorkforceDevelopment.InordertoensurethattheUnitedStatesmaintainsalong-termcybersecurityadvantage:



TripleHelixSM

AssuredScanDKV®

CyberScore®

DECENT™

AsuredSeven+™

(i)TheSecretaryofCommerceandtheSecretaryofHomelandSecurity,inconsultationwiththeSecretaryofDefense,theSecretaryofLabor,theSecretaryofEducation,theDirectoroftheOfficeofPersonnelManagement,andotheragenciesidentifiedjointlybytheSecretaryofCommerceandtheSecretaryofHomelandSecurity,shall:(A)jointlyassessthescopeandsufficiencyofeffortstoeducateandtraintheAmericancybersecurityworkforceofthefuture,includingcybersecurity-relatededucationcurricula,training,andapprenticeshipprograms,fromprimarythroughhighereducation;and(B)within120daysofthedateofthisorder,provideareporttothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,withfindingsandrecommendationsregardinghowtosupportthegrowthandsustainmentoftheNation'scybersecurityworkforceinboththepublicandprivatesectors.

(ii)TheDirectorofNationalIntelligence,inconsultationwiththeheadsofotheragenciesidentifiedbytheDirectorofNationalIntelligence,shall:

(A)reviewtheworkforcedevelopmenteffortsofpotentialforeigncyberpeersinordertohelpidentifyforeignworkforcedevelopmentpracticeslikelytoaffectlong-termUnitedStatescybersecuritycompetitiveness;and(B)within60daysofthedateofthisorder,provideareporttothePresidentthroughtheAssistanttothePresidentforHomelandSecurityandCounterterrorismonthefindingsofthereviewcarriedoutpursuanttosubsection(d)(ii)(A)ofthissection.

(iii)TheSecretaryofDefense,incoordinationwiththeSecretaryofCommerce,theSecretaryofHomelandSecurity,andtheDirectorofNationalIntelligence,shall:(A)assessthescopeandsufficiencyofUnitedStateseffortstoensurethattheUnitedStatesmaintainsorincreasesitsadvantageinnational-security-relatedcybercapabilities;and(B)within150daysofthedateofthisorder,provideareporttothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,withfindingsandrecommendationsontheassessmentcarriedoutpursuanttosubsection(d)(iii)(A)ofthissection.

(iv)Thereportsdescribedinthissubsectionmaybeclassifiedinfullorinpart,asappropriate.

Sec.4.Definitions.Forthepurposesofthisorder:

(a)Theterm"appropriatestakeholders"meansanynon-executive-branchpersonorentitythatelectstoparticipateinanopenandtransparentprocessestablishedbytheSecretaryofCommerceandtheSecretaryofHomelandSecurityundersection2(d)ofthisorder.(b)Theterm"informationtechnology"(IT)hasthemeaninggiventothatterminsection11101(6)oftitle40,UnitedStatesCode,andfurtherincludeshardwareandsoftwaresystemsofagenciesthatmonitorandcontrolphysicalequipmentandprocesses.



TripleHelixSM

AssuredScanDKV®

CyberScore®

DECENT™

AsuredSeven+™

(c)Theterm"ITarchitecture"referstotheintegrationandimplementationofITwithinanagency.

(d)Theterm"networkarchitecture"referstotheelementsofITarchitecturethatenableorfacilitatecommunicationsbetweentwoormoreITassets.

Sec.5.GeneralProvisions.

(a)Nothinginthisordershallbeconstruedtoimpairorotherwiseaffect:

(i)theauthoritygrantedbylawtoanexecutivedepartmentoragency,ortheheadthereof;or

(ii)thefunctionsoftheDirectorofOMBrelatingtobudgetary,administrative,orlegislativeproposals.

(b)Thisordershallbeimplementedconsistentwithapplicablelawandsubjecttotheavailabilityofappropriations.

(c)Allactionstakenpursuanttothisordershallbeconsistentwithrequirementsandauthoritiestoprotectintelligenceandlawenforcementsourcesandmethods.Nothinginthisordershallbeconstruedtosupersedemeasuresestablishedunderauthorityoflawtoprotectthesecurityandintegrityofspecificactivitiesandassociationsthatareindirectsupportofintelligenceorlawenforcementoperations.(d)Thisorderisnotintendedto,anddoesnot,createanyrightorbenefit,substantiveorprocedural,enforceableatlaworinequitybyanypartyagainsttheUnitedStates,itsdepartments,agencies,orentities,itsofficers,employees,oragents,oranyotherperson.

www.assured.enterprises