New Executive Order represents a significant change in the federal government’s stance on overall risk management, protection of its networks and critical infrastructure and management of cybersecurity risk.
On May 11, 2017, President Trump issued the “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”. A key provision of this order is that it mandates that “Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.” This is a significant provision in that to date, the Framework, since its issuance in 2014, has been a “voluntary compliance” framework. Thus, many entities have chosen to not implement it due to the corresponding cost of implementation and ongoing maintenance. Going forward, because of the underlying requirements of the Framework, it is probable that any companies doing business with the Federal government will be required to be in compliance with the Framework as well. Thus, it is anticipated that there will be a “rush to compliance” for many of those companies between now and the end of this year.
The Framework requires that the company must have effective written information security policies and procedures (WISP) in place. Such policies and procedures, when dealing with Federal government agencies, should be based on the NIST Special Publication 800-53 (Rev. 4) “Security Controls and Assessment Procedures for Federal Information Systems and Organizations” (NIST.SP. 800-53). This publication recommends security controls for federal information systems and organizations and documents security controls for federal information systems.
The implementation of an effective information security program and control environment compliant with the Framework will require the company to include at least the following:
- Develop, and maintain, a set written information security policies and procedures (WISP) based on the requirements of NIST.SP.800-53;
- Develop, and maintain, documentation for security roles, responsibilities and related organization chart;
- Develop and maintain third party security agreements and related risk assessments, with the risk assessments updated at least annually;
- Develop, and maintain, a written Business Continuity Plan. This plan must be tested at least annually, with evidence of the results of such testing documented;
- Perform, at least annually, a Risk Assessment, with the results approved by management;
- Develop, and maintain, a written Incident Response Plan;
- Develop, and maintain, documentation of network resources, connections and data flows;
- Develop, and maintain, a written data retention and destruction policy;
- Perform, and document, a physical security review and update the Physical and Environmental Protection policy, as appropriate;
- Develop, document and maintain an inventory of assets, including the assignment of the appropriate risk classifications and adequate encryption controls, where appropriate;
- Develop, document and maintain, an effective network management, patch management and firewall monitoring and management program. This must include effective logging, monitoring and reporting systems and controls;
- Performance, and documentation, of periodic vulnerability scans and reliability testing;
- Subscribe to security alert services;
- Provide annual cybersecurity training, including documentation of such training and evidence of the testing of employees supporting the effectiveness of such training; and
- Evidence of board/management review and approval of the company’s Information Security Program, WISP and related documentation.
This executive order represents a significant change in the federal government’s stance on overall risk management, protection of its networks and critical infrastructure and management of cybersecurity risk. Compliance is no longer voluntary. All companies need to evaluate their current information security programs, controls and policies and procedures and make the appropriate changes to ensure compliance.