Federal Cybersecurity (E.O. 13800)

Summary

Makes federal agencies responsible for protecting their computer systems and helps protect the nation's most important services from cyber attacks.

What problem does this solve?

The federal government's computer systems are old, have known weaknesses, and are difficult to protect from cyber threats. This order makes agency leaders accountable for security, requires them to use a modern security plan, and pushes for updated technology.

What does this order do?

Makes agency heads accountable for cybersecurity

Holds the leaders of executive departments and agencies directly responsible for managing the cybersecurity risks to their organizations.

Requires a standard security framework

Mandates that all federal agencies use the National Institute of Standards and Technology (NIST) Framework to manage their cybersecurity risk.

Pushes for IT modernization

Directs agencies to prefer shared IT services, like cloud and email services, and requires a report on moving the government to consolidated networks.

Supports security for critical infrastructure

Requires government agencies to identify how they can help protect the nation's most important infrastructure, like the power grid and financial systems, from cyber attacks.

Addresses botnets and other automated threats

Starts a process to work with private companies and others to find ways to reduce threats from large-scale automated attacks like botnets.

Focuses on growing the cybersecurity workforce

Requires reports on how to better educate and train people for cybersecurity jobs in both the government and private companies.

Promotes international cooperation

Directs the Secretary of State to create a plan for working with allies and partners to improve global cybersecurity.

Who does this affect?

Federal government agencies
Critical infrastructure operators (e.g., energy, finance, communications)
Defense contractors

What is the real world impact?

•

Modernizes outdated government technology

Addresses the long-standing problem that many federal computer systems are old and hard to defend. Pushes agencies to adopt modern, shared services like cloud computing to improve security and efficiency.

•

Establishes clear accountability for security

Makes the heads of federal agencies directly responsible to the President for managing cybersecurity risks. This prevents security from being treated as a low-priority issue.

•

Increases reporting requirements for agencies

Creates a significant new workload for federal agencies, which must produce numerous detailed reports on risk, modernization, and capabilities within very short deadlines. This could strain agency resources.

When does this start?

This order sets multiple deadlines for reports and actions from federal agencies, most of which are within 90 to 180 days of May 11, 2017.

International cooperation reports

Within 45 days, key departments must submit reports on their international cybersecurity priorities.

Agency risk management reports

Within 90 days, each agency head must provide a report on their cybersecurity risks and their plan to implement the NIST Framework.

IT modernization report

Within 90 days, a report on the plan to move federal agencies to shared IT services must be sent to the President.

Electricity disruption assessment

Within 90 days, an assessment of the country's readiness to handle a major power outage from a cyber incident must be provided to the President.

Cybersecurity workforce report

Within 120 days, a report with recommendations on how to grow the nation's cybersecurity workforce must be provided to the President.

Report on reducing botnet threats

A preliminary report on reducing threats from botnets is due in 240 days, with a final report due within one year.