The Trump Administration appears likely to release an Executive Order on Cybersecurity. The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors. However, it remains unclear if and when the current draft will be signed.
President Trump originally was scheduled to sign an Executive Order on Cybersecurity on February 1, 2017, but the signing was postponed. The original draft Order, titled “Strengthening U.S. Cyber Security and Capabilities,” (the “first draft Order”) articulated a general policy focused on enhancing the nation’s cybersecurity defenses and capabilities, particularly with respect to specified federal systems and critical infrastructures. Specifically, the first draft Order directed the Department of Defense (“DOD”) and Department of Homeland Security (“DHS”)—in coordination with representatives of the intelligence community—to accomplish three main goals. First, to conduct a review of cybersecurity vulnerabilities in national security systems, federal networks, and critical civilian infrastructure systems. Second, to identify the United States’ cyber adversaries. Third, to conduct a review of the United States’ cybersecurity capabilities, including a review of “U.S. efforts to educate and train the workforce of the future.”
On Friday, February 10, 2017, a revised draft of the Executive Order was circulated. The revised draft Order, now retitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (the “Revised Order”) is significantly different from the first draft Order and more closely aligns with Executive Order 13636, “Improving Critical Infrastructure Security,” signed by President Obama on February 12, 2013. Like Executive Order 13636, the Revised Order focuses on an agency-led, risk-based approach to cybersecurity and, in particular, requires federal agencies to adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) to manage cybersecurity risk. The Revised Order also delegates primary responsibility for developing a comprehensive risk management plan to the Executive Branch, specifically the Office of Management and Budget (“OMB”) and DHS. Continue Reading