June 18, 2019

June 18, 2019

Subscribe to Latest Legal News and Analysis

June 17, 2019

Subscribe to Latest Legal News and Analysis

Executive Orders Require Review of Federal IT and Cybersecurity Resources

The White House recently released two executive orders focusing on the government’s use of information technology and the need to assess cybersecurity threats to the country’s critical infrastructure. These executive orders highlight the importance of a more comprehensive and unified federal approach to cybersecurity issues, but aggressive timelines may create certain challenges, as noted below.

The American Technology Council

The first executive order, signed on April 28, 2017, establishes the American Technology Council (the "Council"), which will operate under the White House's Office of American Innovation. The Council is comprised of the president, vice president, the secretaries of Defense, Commerce and Homeland Security, as well as the Director of the Office of Management and Budget ("OMB"), National Intelligence, Office of Science and Technology Policy, and other government officials with technology-related portfolios.

The Council is tasked with coordinating the development of the vision and policy of the use of information technology by the federal government. It is also responsible for coordinating advice on information technology policy delivered to the president. This new role will take on additional importance in the near future in light of the government’s review of cybersecurity threats discussed below. Specifically, Section 7(d) directs the Director of National Intelligence to share classified information with the Council on “cybersecurity threats, vulnerabilities, and mitigation procedures.”

While the Council's authority to review the federal government's use of information technology is quite broad, it will not be permitted to review issues that relate to national security systems, or override the authority of government agencies and the OMB to develop agency-specific policies.

The Cyber Executive Order

The second executive order, signed on May 11, 2017, (the “Cyber EO”) requires a comprehensive review of the federal government's information technology resources, with the express goal of implementing cybersecurity risk management measures to protect federal networks and data. Every agency within the executive branch will be required to participate. Some agencies are required to produce multiple reports over the next nine to 12 months.

Risk Assessments:

First, each executive branch agency is required to conduct an assessment of its cybersecurity risks based on the Framework for Improving Critical Infrastructure Security (the “Framework") developed by the National Institute of Standards and Technology (NIST) in 2014. The Framework is currently being updated by NIST, with comments on the proposed changes having been submitted last month ("Version 1.1").1 Because the Cyber EO requires that these reports be prepared by August 9, 2017, it is unclear whether Version 1.1 will be ready for agencies to use, or whether the 2014 Framework will be used.

The Secretary for Homeland Security and the Director of the OMB will review the risk assessments, which will be submitted in August 2017, and prepare a report by October 8, 2017, proposing a plan to address each agency’s (i) cybersecurity risks; (ii) unmet budgetary needs; and (iii) proposals to align the agency's policies, standards and guidelines with the Framework.

As the executive branch agencies conduct their risk assessments, the newly created American Technology Council, described above, is tasked with preparing a report by August 9, 2017, on the legal, policy and budgetary considerations associated with transitioning all executive branch agencies to shared IT services (including email, cloud and cybersecurity services). To complete this report, all executive branch agencies are directed to coordinate with and supply the Council with their current IT architectures.

Cybersecurity of Critical Infrastructure:

In addition to the risk assessments, the Cyber EO directs the preparation of reports assessing the cybersecurity of critical infrastructure entities. These reports are due as follows:


Due Date

Market Transparency of Cybersecurity Risk

August 9, 2017

Electricity Disruption Incident Response Capabilities

August 9, 2017

Department of Defense Warfighting Capabilities and Industrial Base

August 9, 2017

Critical Infrastructure at Greatest Risk

November 7, 2017

Resilience Against Botnets and Automated Distributed Threats

January 6, 2018

Cybersecurity of Nation:

The Cyber EO further addresses cybersecurity priorities to protect U.S. citizens on the internet and the development of a workforce skilled in cybersecurity. Additional reports are to be prepared and delivered to the president as follows:


Due Date

International Cybersecurity Priorities of Secretary of State, Defense, Commerce and Homeland Security

June 25, 2017

International Workforce Cybersecurity Education and Training

July 10, 2017

Deterring Adversaries and Protecting Americans from Cyber Threats

August 9, 2017

Domestic Workforce Cybersecurity Education and Training

September 8, 2017

International Cooperation and Engagement Strategy

September 23, 2017

Maintaining Advantage in National Security-Related Cyber Capabilities

October 8, 2017

These reports will require coordination and cooperation among federal agencies and cabinet-level departments within the executive branch. Not surprisingly, the Secretary of Homeland Security will be leading many of the efforts, along with the Secretary of Defense, the Director of the Federal Bureau of Investigation and the U.S. Attorney General.

The Cyber EO will require substantial coordination among the various executive branch agencies, White House staff and international partners. At least seven reports covering different subjects are required to be submitted by August 9, 2017, with an additional five reports due by January 2018.

These aggressive timelines may be difficult to meet because the NIST Framework is currently being revised and may not be ready for use by the executive branch agencies in the preparation of risk assessments due by August 9, 2017. As a result, it is unclear how useful the risk assessments will be in light of the outdated state of the 2014 Framework, and the substantial changes proposed in Version 1.1.

 1. We reviewed the proposed changes in the Framework in here.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved


About this Author

Anand Raj Shah, Drinker Biddle Law Firm, Cybersecurity Attorney

Anand Raj Shah counsels clients on issues relating to cybersecurity, information governance, privacy, eDiscovery and data analytics. He assists clients in proactively evaluating and managing risks associated with their information practices, particularly during breach response or cybercrime investigations. Anand advises clients on a wide range of federal laws and regulations, including CFAA, ECPA, HIPAA, GLB, FISMA, CAN-SPAM, VPPA, COPPA, FCRA, and CISA, along with international and state data protection and breach notification laws. He guides clients on...