SM ASSURED ENTERPRISES: STRENGTHENING THE … · ASSURED ENTERPRISES: STRENGTHENING THE...
Transcript of SM ASSURED ENTERPRISES: STRENGTHENING THE … · ASSURED ENTERPRISES: STRENGTHENING THE...
Copyright 2017 Assured Enterprises Page 1
ExecutiveOrderChecklist
ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE
TripleHelixSM
AssuredScanDKV®
CyberScore®
DECENT™
AsuredSeven+™
BytheauthorityvestedinmeasPresidentbytheConstitutionandthelawsoftheUnitedStatesofAmerica,andtoprotectAmericaninnovationandvalues,itisherebyorderedasfollows:Section1.CybersecurityofFederalNetworks.
(a)Policy.Theexecutivebranchoperatesitsinformationtechnology(IT)onbehalfoftheAmericanpeople.ItsITanddatashouldbesecuredresponsiblyusingallUnitedStatesGovernmentcapabilities.ThePresidentwillholdheadsofexecutivedepartmentsandagencies(agencyheads)accountableformanagingcybersecurityrisktotheirenterprises.Inaddition,becauseriskmanagementdecisionsmadebyagencyheadscanaffecttherisktotheexecutivebranchasawhole,andtonationalsecurity,itisalsothepolicyoftheUnitedStatestomanagecybersecurityriskasanexecutivebranchenterprise.
✔ ✔ ✔ ✔ ✔
(b)Findings.
(i)CybersecurityriskmanagementcomprisesthefullrangeofactivitiesundertakentoprotectITanddatafromunauthorizedaccessandothercyberthreats,tomaintainawarenessofcyberthreats,todetectanomaliesandincidentsadverselyaffectingITanddata,andtomitigatetheimpactof,respondto,andrecoverfromincidents.Informationsharingfacilitatesandsupportsalloftheseactivities. ✔ ✔ ✔
(ii)Theexecutivebranchhasfortoolongacceptedantiquatedanddifficult–to-defendIT.
(iii)EffectiveriskmanagementinvolvesmorethanjustprotectingITanddatacurrentlyinplace.Italsorequiresplanningsothatmaintenance,improvements,andmodernizationoccurinacoordinatedwayandwithappropriateregularity. ✔ ✔
(iv)Knownbutunmitigatedvulnerabilitiesareamongthehighestcybersecurityrisksfacedbyexecutivedepartmentsandagencies(agencies).Knownvulnerabilitiesincludeusingoperatingsystemsorhardwarebeyondthevendor'ssupportlifecycle,decliningtoimplementavendor'ssecuritypatch,orfailingtoexecutesecurity-specificconfigurationguidance.
✔
(v)EffectiveriskmanagementrequiresagencyheadstoleadintegratedteamsofseniorexecutiveswithexpertiseinIT,security,budgeting,acquisition,law,privacy,andhumanresources. ✔ ✔
Copyright 2017 Assured Enterprises Page 2
ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE
TripleHelixSM
AssuredScanDKV®
CyberScore®
DECENT™
AsuredSeven+™
(c)RiskManagement.
(i)AgencyheadswillbeheldaccountablebythePresidentforimplementingriskmanagementmeasurescommensuratewiththeriskandmagnitudeoftheharmthatwouldresultfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofITanddata.TheywillalsobeheldaccountablebythePresidentforensuringthatcybersecurityriskmanagementprocessesarealignedwithstrategic,operational,andbudgetaryplanningprocesses,inaccordancewithchapter35,subchapterIIoftitle44,UnitedStatesCode.
✔ ✔
(ii)Effectiveimmediately,eachagencyheadshalluseTheFrameworkforImprovingCriticalInfrastructureCybersecurity(theFramework)developedbytheNationalInstituteofStandardsandTechnology,oranysuccessordocument,tomanagetheagency'scybersecurityrisk.EachagencyheadshallprovideariskmanagementreporttotheSecretaryofHomelandSecurityandtheDirectoroftheOfficeofManagementandBudget(OMB)within90daysofthedateofthisorder.Theriskmanagementreportshall:
✔ ✔
(A)documenttheriskmitigationandacceptancechoicesmadebyeachagencyheadasofthedateofthisorder,including: ✔(1)thestrategic,operational,andbudgetaryconsiderationsthatinformedthosechoices;and ✔(2)anyacceptedrisk,includingfromunmitigatedvulnerabilities;and ✔ ✔
(B)describetheagency'sactionplantoimplementtheFramework.✔
(iii)TheSecretaryofHomelandSecurityandtheDirectorofOMB,consistentwithchapter35,subchapterIIoftitle44,UnitedStatesCode,shalljointlyassesseachagency'sriskmanagementreporttodeterminewhethertheriskmitigationandacceptancechoicessetforthinthereportsareappropriateandsufficienttomanagethecybersecurityrisktotheexecutivebranchenterpriseintheaggregate(thedetermination).
✔ ✔
(iv)TheDirectorofOMB,incoordinationwiththeSecretaryofHomelandSecurity,withappropriatesupportfromtheSecretaryofCommerceandtheAdministratorofGeneralServices,andwithin60daysofreceiptoftheagencyriskmanagementreportsoutlinedinsubsection(c)(ii)ofthissection,shallsubmittothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,thefollowing:
✔ ✔
(A)thedetermination;and
(B)aplanto:
Copyright 2017 Assured Enterprises Page 3
ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE
TripleHelixSM
AssuredScanDKV®
CyberScore®
DECENT™
AsuredSeven+™
(1)adequatelyprotecttheexecutivebranchenterprise,shouldthedeterminationidentifyinsufficiencies; ✔(2)addressimmediateunmetbudgetaryneedsnecessarytomanagerisktotheexecutivebranchenterprise; ✔ ✔(3)establisharegularprocessforreassessingand,ifappropriate,reissuingthedetermination,andaddressingfuture,recurringunmetbudgetaryneedsnecessarytomanagerisktotheexecutivebranchenterprise; ✔(4)clarify,reconcile,andreissue,asnecessaryandtotheextentpermittedbylaw,allpolicies,standards,andguidelinesissuedbyanyagencyinfurtheranceofchapter35,subchapterIIoftitle44,UnitedStatesCode,and,asnecessaryandtotheextentpermittedbylaw,issuepolicies,standards,andguidelinesinfurtheranceofthisorder;and
✔
(5)alignthesepolicies,standards,andguidelineswiththeFramework. ✔(v)Theagencyriskmanagementreportsdescribedinsubsection(c)(ii)ofthissectionandthedeterminationandplandescribedinsubsections(c)(iii)and(iv)ofthissectionmaybeclassifiedinfullorinpart,asappropriate.(vi)Effectiveimmediately,itisthepolicyoftheexecutivebranchtobuildandmaintainamodern,secure,andmoreresilientexecutivebranchITarchitecture. ✔ ✔ ✔ ✔ ✔(A)AgencyheadsshallshowpreferenceintheirprocurementforsharedITservices,totheextentpermittedbylaw,includingemail,cloud,andcybersecurityservices.(B)TheDirectoroftheAmericanTechnologyCouncilshallcoordinateareporttothePresidentfromtheSecretaryofHomelandSecurity,theDirectorofOMB,andtheAdministratorofGeneralServices,inconsultationwiththeSecretaryofCommerce,asappropriate,regardingmodernizationofFederalIT.Thereportshall:(1)becompletedwithin90daysofthedateofthisorder;and
(2)describethelegal,policy,andbudgetaryconsiderationsrelevantto--aswellasthetechnicalfeasibilityandcosteffectiveness,includingtimelinesandmilestones,of--transitioningallagencies,orasubsetofagencies,to:(aa)oneormoreconsolidatednetworkarchitectures;and
(bb)sharedITservices,includingemail,cloud,andcybersecurityservices.
Copyright 2017 Assured Enterprises Page 4
ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE
TripleHelixSM
AssuredScanDKV®
CyberScore®
DECENT™
AsuredSeven+™
(C)Thereportdescribedinsubsection(c)(vi)(B)ofthissectionshallassesstheeffectsoftransitioningallagencies,orasubsetofagencies,tosharedITserviceswithrespecttocybersecurity,includingbymakingrecommendationstoensureconsistencywithsection227oftheHomelandSecurityAct(6U.S.C.148)andcompliancewithpoliciesandpracticesissuedinaccordancewithsection3553oftitle44,UnitedStatesCode.AllagencyheadsshallsupplysuchinformationconcerningtheircurrentITarchitecturesandplansasisnecessarytocompletethisreportontime.
(vii)ForanyNationalSecuritySystem,asdefinedinsection3552(b)(6)oftitle44,UnitedStatesCode,theSecretaryofDefenseandtheDirectorofNationalIntelligence,ratherthantheSecretaryofHomelandSecurityandtheDirectorofOMB,shallimplementthisordertothemaximumextentfeasibleandappropriate.TheSecretaryofDefenseandtheDirectorofNationalIntelligenceshallprovideareporttotheAssistanttothePresidentforNationalSecurityAffairsandtheAssistanttothePresidentforHomelandSecurityandCounterterrorismdescribingtheirimplementationofsubsection(c)ofthissectionwithin150daysofthedateofthisorder.Thereportdescribedinthissubsectionshallincludeajustificationforanydeviationfromtherequirementsofsubsection(c),andmaybeclassifiedinfullorinpart,asappropriate.
Sec.2.CybersecurityofCriticalInfrastructure.
(a)Policy.ItisthepolicyoftheexecutivebranchtouseitsauthoritiesandcapabilitiestosupportthecybersecurityriskmanagementeffortsoftheownersandoperatorsoftheNation'scriticalinfrastructure(asdefinedinsection5195c(e)oftitle42,UnitedStatesCode)(criticalinfrastructureentities),asappropriate. ✔ ✔ ✔(b)SupporttoCriticalInfrastructureatGreatestRisk.TheSecretaryofHomelandSecurity,incoordinationwiththeSecretaryofDefense,theAttorneyGeneral,theDirectorofNationalIntelligence,theDirectoroftheFederalBureauofInvestigation,theheadsofappropriatesector-specificagencies,asdefinedinPresidentialPolicyDirective21ofFebruary12,2013(CriticalInfrastructureSecurityandResilience)(sector-specificagencies),andallotherappropriateagencyheads,asidentifiedbytheSecretaryofHomelandSecurity,shall:(i)identifyauthoritiesandcapabilitiesthatagenciescouldemploytosupportthecybersecurityeffortsofcriticalinfrastructureentitiesidentifiedpursuanttosection9ofExecutiveOrder13636ofFebruary12,2013(ImprovingCriticalInfrastructureCybersecurity),tobeatgreatestriskofattacksthatcouldreasonablyresultincatastrophicregionalornationaleffectsonpublichealthorsafety,economicsecurity,ornationalsecurity(section9entities);
✔ ✔ ✔ ✔ ✔
(ii)engagesection9entitiesandsolicitinputasappropriatetoevaluatewhetherandhowtheauthoritiesandcapabilitiesidentifiedpursuanttosubsection(b)(i)ofthissectionmightbeemployedtosupportcybersecurityriskmanagementeffortsandanyobstaclestodoingso; ✔ ✔(iii)provideareporttothePresident,whichmaybeclassifiedinfullorinpart,asappropriate,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,within180daysofthedateofthisorder,thatincludesthefollowing:(A)theauthoritiesandcapabilitiesidentifiedpursuanttosubsection(b)(i)ofthissection;
(B)theresultsoftheengagementanddeterminationrequiredpursuanttosubsection(b)(ii)ofthissection;and
Copyright 2017 Assured Enterprises Page 5
ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE
TripleHelixSM
AssuredScanDKV®
CyberScore®
DECENT™
AsuredSeven+™
(C)findingsandrecommendationsforbettersupportingthecybersecurityriskmanagementeffortsofsection9entities;and ✔(iv)provideanupdatedreporttothePresidentonanannualbasisthereafter.
(c)SupportingTransparencyintheMarketplace.TheSecretaryofHomelandSecurity,incoordinationwiththeSecretaryofCommerce,shallprovideareporttothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,thatexaminesthesufficiencyofexistingFederalpoliciesandpracticestopromoteappropriatemarkettransparencyofcybersecurityriskmanagementpracticesbycriticalinfrastructureentities,withafocusonpubliclytradedcriticalinfrastructureentities,within90daysofthedateofthisorder.
✔ ✔
(d)ResilienceAgainstBotnetsandOtherAutomated,DistributedThreats.TheSecretaryofCommerceandtheSecretaryofHomelandSecurityshalljointlyleadanopenandtransparentprocesstoidentifyandpromoteactionbyappropriatestakeholderstoimprovetheresilienceoftheinternetandcommunicationsecosystemandtoencouragecollaborationwiththegoalofdramaticallyreducingthreatsperpetratedbyautomatedanddistributedattacks(e.g.,botnets).TheSecretaryofCommerceandtheSecretaryofHomelandSecurityshallconsultwiththeSecretaryofDefense,theAttorneyGeneral,theDirectoroftheFederalBureauofInvestigation,theheadsofsector-specificagencies,theChairsoftheFederalCommunicationsCommissionandFederalTradeCommission,otherinterestedagencyheads,andappropriatestakeholdersincarryingoutthissubsection.Within240daysofthedateofthisorder,theSecretaryofCommerceandtheSecretaryofHomelandSecurityshallmakepubliclyavailableapreliminaryreportonthiseffort.Within1yearofthedateofthisorder,theSecretariesshallsubmitafinalversionofthisreporttothePresident.
✔ ✔ ✔ ✔
(e)AssessmentofElectricityDisruptionIncidentResponseCapabilities.TheSecretaryofEnergyandtheSecretaryofHomelandSecurity,inconsultationwiththeDirectorofNationalIntelligence,withState,local,tribal,andterritorialgovernments,andwithothersasappropriate,shalljointlyassess:(i)thepotentialscopeanddurationofaprolongedpoweroutageassociatedwithasignificantcyberincident,asdefinedinPresidentialPolicyDirective41ofJuly26,2016(UnitedStatesCyberIncidentCoordination),againsttheUnitedStateselectricsubsector;(ii)thereadinessoftheUnitedStatestomanagetheconsequencesofsuchanincident;and
(iii)anygapsorshortcomingsinassetsorcapabilitiesrequiredtomitigatetheconsequencesofsuchanincident. ✔TheassessmentshallbeprovidedtothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,within90daysofthedateofthisorder,andmaybeclassifiedinfullorinpart,asappropriate.
Copyright 2017 Assured Enterprises Page 6
ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE
TripleHelixSM
AssuredScanDKV®
CyberScore®
DECENT™
AsuredSeven+™
(f)DepartmentofDefenseWarfightingCapabilitiesandIndustrialBase.Within90daysofthedateofthisorder,theSecretaryofDefense,theSecretaryofHomelandSecurity,andtheDirectoroftheFederalBureauofInvestigation,incoordinationwiththeDirectorofNationalIntelligence,shallprovideareporttothePresident,throughtheAssistanttothePresidentforNationalSecurityAffairsandtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,oncybersecurityrisksfacingthedefenseindustrialbase,includingitssupplychain,andUnitedStatesmilitaryplatforms,systems,networks,andcapabilities,andrecommendationsformitigatingtheserisks.Thereportmaybeclassifiedinfullorinpart,asappropriate.
Sec.3.CybersecurityfortheNation.
(a)Policy.Toensurethattheinternetremainsvaluableforfuturegenerations,itisthepolicyoftheexecutivebranchtopromoteanopen,interoperable,reliable,andsecureinternetthatfostersefficiency,innovation,communication,andeconomicprosperity,whilerespectingprivacyandguardingagainstdisruption,fraud,andtheft.Further,theUnitedStatesseekstosupportthegrowthandsustainmentofaworkforcethatisskilledincybersecurityandrelatedfieldsasthefoundationforachievingourobjectivesincyberspace.
✔ ✔ ✔ ✔ ✔
(b)DeterrenceandProtection.Within90daysofthedateofthisorder,theSecretaryofState,theSecretaryoftheTreasury,theSecretaryofDefense,theAttorneyGeneral,theSecretaryofCommerce,theSecretaryofHomelandSecurity,andtheUnitedStatesTradeRepresentative,incoordinationwiththeDirectorofNationalIntelligence,shalljointlysubmitareporttothePresident,throughtheAssistanttothePresidentforNationalSecurityAffairsandtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,ontheNation'sstrategicoptionsfordeterringadversariesandbetterprotectingtheAmericanpeoplefromcyberthreats.(c)InternationalCooperation.Asahighlyconnectednation,theUnitedStatesisespeciallydependentonagloballysecureandresilientinternetandmustworkwithalliesandotherpartnerstowardmaintainingthepolicysetforthinthissection.Within45daysofthedateofthisorder,theSecretaryofState,theSecretaryoftheTreasury,theSecretaryofDefense,theSecretaryofCommerce,andtheSecretaryofHomelandSecurity,incoordinationwiththeAttorneyGeneralandtheDirectoroftheFederalBureauofInvestigation,shallsubmitreportstothePresidentontheirinternationalcybersecuritypriorities,includingthoseconcerninginvestigation,attribution,cyberthreatinformationsharing,response,capacitybuilding,andcooperation.Within90daysofthesubmissionofthereports,andincoordinationwiththeagencyheadslistedinthissubsection,andanyotheragencyheadsasappropriate,theSecretaryofStateshallprovideareporttothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,documentinganengagementstrategyforinternationalcooperationincybersecurity.(d)WorkforceDevelopment.InordertoensurethattheUnitedStatesmaintainsalong-termcybersecurityadvantage:
Copyright 2017 Assured Enterprises Page 7
ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE
TripleHelixSM
AssuredScanDKV®
CyberScore®
DECENT™
AsuredSeven+™
(i)TheSecretaryofCommerceandtheSecretaryofHomelandSecurity,inconsultationwiththeSecretaryofDefense,theSecretaryofLabor,theSecretaryofEducation,theDirectoroftheOfficeofPersonnelManagement,andotheragenciesidentifiedjointlybytheSecretaryofCommerceandtheSecretaryofHomelandSecurity,shall:(A)jointlyassessthescopeandsufficiencyofeffortstoeducateandtraintheAmericancybersecurityworkforceofthefuture,includingcybersecurity-relatededucationcurricula,training,andapprenticeshipprograms,fromprimarythroughhighereducation;and(B)within120daysofthedateofthisorder,provideareporttothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,withfindingsandrecommendationsregardinghowtosupportthegrowthandsustainmentoftheNation'scybersecurityworkforceinboththepublicandprivatesectors.
(ii)TheDirectorofNationalIntelligence,inconsultationwiththeheadsofotheragenciesidentifiedbytheDirectorofNationalIntelligence,shall:
(A)reviewtheworkforcedevelopmenteffortsofpotentialforeigncyberpeersinordertohelpidentifyforeignworkforcedevelopmentpracticeslikelytoaffectlong-termUnitedStatescybersecuritycompetitiveness;and(B)within60daysofthedateofthisorder,provideareporttothePresidentthroughtheAssistanttothePresidentforHomelandSecurityandCounterterrorismonthefindingsofthereviewcarriedoutpursuanttosubsection(d)(ii)(A)ofthissection.
(iii)TheSecretaryofDefense,incoordinationwiththeSecretaryofCommerce,theSecretaryofHomelandSecurity,andtheDirectorofNationalIntelligence,shall:(A)assessthescopeandsufficiencyofUnitedStateseffortstoensurethattheUnitedStatesmaintainsorincreasesitsadvantageinnational-security-relatedcybercapabilities;and(B)within150daysofthedateofthisorder,provideareporttothePresident,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorism,withfindingsandrecommendationsontheassessmentcarriedoutpursuanttosubsection(d)(iii)(A)ofthissection.
(iv)Thereportsdescribedinthissubsectionmaybeclassifiedinfullorinpart,asappropriate.
Sec.4.Definitions.Forthepurposesofthisorder:
(a)Theterm"appropriatestakeholders"meansanynon-executive-branchpersonorentitythatelectstoparticipateinanopenandtransparentprocessestablishedbytheSecretaryofCommerceandtheSecretaryofHomelandSecurityundersection2(d)ofthisorder.(b)Theterm"informationtechnology"(IT)hasthemeaninggiventothatterminsection11101(6)oftitle40,UnitedStatesCode,andfurtherincludeshardwareandsoftwaresystemsofagenciesthatmonitorandcontrolphysicalequipmentandprocesses.
Copyright 2017 Assured Enterprises Page 8
ASSUREDENTERPRISES:STRENGTHENINGTHECYBERSECURITYOFFEDERALNETWORKSANDCRITICALINFRASTRUCTURE
TripleHelixSM
AssuredScanDKV®
CyberScore®
DECENT™
AsuredSeven+™
(c)Theterm"ITarchitecture"referstotheintegrationandimplementationofITwithinanagency.
(d)Theterm"networkarchitecture"referstotheelementsofITarchitecturethatenableorfacilitatecommunicationsbetweentwoormoreITassets.
Sec.5.GeneralProvisions.
(a)Nothinginthisordershallbeconstruedtoimpairorotherwiseaffect:
(i)theauthoritygrantedbylawtoanexecutivedepartmentoragency,ortheheadthereof;or
(ii)thefunctionsoftheDirectorofOMBrelatingtobudgetary,administrative,orlegislativeproposals.
(b)Thisordershallbeimplementedconsistentwithapplicablelawandsubjecttotheavailabilityofappropriations.
(c)Allactionstakenpursuanttothisordershallbeconsistentwithrequirementsandauthoritiestoprotectintelligenceandlawenforcementsourcesandmethods.Nothinginthisordershallbeconstruedtosupersedemeasuresestablishedunderauthorityoflawtoprotectthesecurityandintegrityofspecificactivitiesandassociationsthatareindirectsupportofintelligenceorlawenforcementoperations.(d)Thisorderisnotintendedto,anddoesnot,createanyrightorbenefit,substantiveorprocedural,enforceableatlaworinequitybyanypartyagainsttheUnitedStates,itsdepartments,agencies,orentities,itsofficers,employees,oragents,oranyotherperson.
www.assured.enterprises