Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors

By Moriah Daugherty & Inside Privacy on February 17, 2017

The Trump Administration appears likely to release an Executive Order on Cybersecurity. The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors. However, it remains unclear if and when the current draft will be signed.

President Trump originally was scheduled to sign an Executive Order on Cybersecurity on February 1, 2017, but the signing was postponed. The original draft Order, titled “Strengthening U.S. Cyber Security and Capabilities,” (the “first draft Order”) articulated a general policy focused on enhancing the nation’s cybersecurity defenses and capabilities, particularly with respect to specified federal systems and critical infrastructures. Specifically, the first draft Order directed the Department of Defense (“DOD”) and Department of Homeland Security (“DHS”)—in coordination with representatives of the intelligence community—to accomplish three main goals. First, to conduct a review of cybersecurity vulnerabilities in national security systems, federal networks, and critical civilian infrastructure systems. Second, to identify the United States’ cyber adversaries. Third, to conduct a review of the United States’ cybersecurity capabilities, including a review of “U.S. efforts to educate and train the workforce of the future.”

On Friday, February 10, 2017, a revised draft of the Executive Order was circulated. The revised draft Order, now retitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (the “Revised Order”) is significantly different from the first draft Order and more closely aligns with Executive Order 13636, “Improving Critical Infrastructure Security,” signed by President Obama on February 12, 2013. Like Executive Order 13636, the Revised Order focuses on an agency-led, risk-based approach to cybersecurity and, in particular, requires federal agencies to adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) to manage cybersecurity risk. The Revised Order also delegates primary responsibility for developing a comprehensive risk management plan to the Executive Branch, specifically the Office of Management and Budget (“OMB”) and DHS.
Continue Reading Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors

DoD Finalizes Rule on Policies for Cyber Incident Reporting

By Inside Privacy on October 10, 2016

Posted in Cybersecurity

Today, our colleagues Susan Cassidy, Ashden Fein, and John Sorrenti posted an article on Inside Government Contracts about the Department of Defense (DoD) issuing a Final Rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors. The article can be read here.