OCR of the Document

View the Document >>

Donald J. Trump, Executive Order, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," May 11, 2017. Unclassified.

Federal Register Vol 82 No 93 Tuesday May 16 2017 Presidential Documents 22391 Presidential Documents Executive Order 13800 of May 11 2017 Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure By the authority vested in me as President by the Constitution and the laws of the United States of America and to protect American innovation and values it is hereby ordered as follows Section 1 Cybersecurity of Federal Networks a Policy The executive branch operates its information technology IT on behalf of the American people Its IT and data should be secured responsibly using all United States Government capabilities The President will hold heads of executive departments and agencies agency heads accountable for managing cybersecurity risk to their enterprises In addition because risk management decisions made by agency heads can affect the risk to the executive branch as a whole and to national security it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise b Findings i Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats to maintain awareness of cyber threats to detect anomalies and incidents adversely affecting IT and data and to mitigate the impact of respond to and recover from incidents Information sharing facilitates and supports all of these activities ii The executive branch has for too long accepted antiquated and difficultto-defend IT iii Effective risk management involves more than just protecting IT and data currently in place It also requires planning so that maintenance improvements and modernization occur in a coordinated way and with appropriate regularity iv Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies agencies Known vulnerabilities include using operating systems or hardware beyond the vendor's support lifecycle declining to implement a vendor's security patch or failing to execute security-specific configuration guidance v Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT security budgeting acquisition law privacy and human resources pmangrum on DSK3GDR082PROD with PRES DOCS c Risk Management i Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access use disclosure disruption modification or destruction of IT and data They will also be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic operational and budgetary planning processes in accordance with chapter 35 subchapter II of title 44 United States Code VerDate Sep 11 2014 13 23 May 15 2017 Jkt 241001 PO 00000 Frm 00001 Fmt 4790 Sfmt 4790 E FR FM 16MYE1 SGM 16MYE1 22392 Federal Register Vol 82 No 93 Tuesday May 16 2017 Presidential Documents ii Effective immediately each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity the Framework developed by the National Institute of Standards and Technology or any successor document to manage the agency's cybersecurity risk Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget OMB within 90 days of the date of this order The risk management report shall A document the risk mitigation and acceptance choices made by each agency head as of the date of this order including 1 the strategic operational and budgetary considerations that informed those choices and 2 any accepted risk including from unmitigated vulnerabilities and B describe the agency's action plan to implement the Framework iii The Secretary of Homeland Security and the Director of OMB consistent with chapter 35 subchapter II of title 44 United States Code shall jointly assess each agency's risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate the determination iv The Director of OMB in coordination with the Secretary of Homeland Security with appropriate support from the Secretary of Commerce and the Administrator of General Services and within 60 days of receipt of the agency risk management reports outlined in subsection c ii of this section shall submit to the President through the Assistant to the President for Homeland Security and Counterterrorism the following A the determination and B a plan to 1 adequately protect the executive branch enterprise should the determination identify insufficiencies 2 address immediate unmet budgetary needs necessary to manage risk to the executive branch enterprise 3 establish a regular process for reassessing and if appropriate reissuing the determination and addressing future recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise 4 clarify reconcile and reissue as necessary and to the extent permitted by law all policies standards and guidelines issued by any agency in furtherance of chapter 35 subchapter II of title 44 United States Code and as necessary and to the extent permitted by law issue policies standards and guidelines in furtherance of this order and 5 align these policies standards and guidelines with the Framework v The agency risk management reports described in subsection c ii of this section and the determination and plan described in subsections c iii and iv of this section may be classified in full or in part as appropriate pmangrum on DSK3GDR082PROD with PRES DOCS vi Effective immediately it is the policy of the executive branch to build and maintain a modern secure and more resilient executive branch IT architecture A Agency heads shall show preference in their procurement for shared IT services to the extent permitted by law including email cloud and cybersecurity services B The Director of the American Technology Council shall coordinate a report to the President from the Secretary of Homeland Security the Director of OMB and the Administrator of General Services in consultation with the Secretary of Commerce as appropriate regarding modernization of Federal IT The report shall VerDate Sep 11 2014 13 23 May 15 2017 Jkt 241001 PO 00000 Frm 00002 Fmt 4790 Sfmt 4790 E FR FM 16MYE1 SGM 16MYE1 Federal Register Vol 82 No 93 Tuesday May 16 2017 Presidential Documents 22393 1 be completed within 90 days of the date of this order and 2 describe the legal policy and budgetary considerations relevant to--as well as the technical feasibility and cost effectiveness including timelines and milestones of--transitioning all agencies or a subset of agencies to aa one or more consolidated network architectures and bb shared IT services including email cloud and cybersecurity services C The report described in subsection c vi B of this section shall assess the effects of transitioning all agencies or a subset of agencies to shared IT services with respect to cybersecurity including by making recommendations to ensure consistency with section 227 of the Homeland Security Act 6 U S C 148 and compliance with policies and practices issued in accordance with section 3553 of title 44 United States Code All agency heads shall supply such information concerning their current IT architectures and plans as is necessary to complete this report on time vii For any National Security System as defined in section 3552 b 6 of title 44 United States Code the Secretary of Defense and the Director of National Intelligence rather than the Secretary of Homeland Security and the Director of OMB shall implement this order to the maximum extent feasible and appropriate The Secretary of Defense and the Director of National Intelligence shall provide a report to the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism describing their implementation of subsection c of this section within 150 days of the date of this order The report described in this subsection shall include a justification for any deviation from the requirements of subsection c and may be classified in full or in part as appropriate Sec 2 Cybersecurity of Critical Infrastructure a Policy It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure as defined in section 5195c e of title 42 United States Code critical infrastructure entities as appropriate pmangrum on DSK3GDR082PROD with PRES DOCS b Support to Critical Infrastructure at Greatest Risk The Secretary of Homeland Security in coordination with the Secretary of Defense the Attorney General the Director of National Intelligence the Director of the Federal Bureau of Investigation the heads of appropriate sector-specific agencies as defined in Presidential Policy Directive 21 of February 12 2013 Critical Infrastructure Security and Resilience sector-specific agencies and all other appropriate agency heads as identified by the Secretary of Homeland Security shall i identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities identified pursuant to section 9 of Executive Order 13636 of February 12 2013 Improving Critical Infrastructure Cybersecurity to be at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety economic security or national security section 9 entities ii engage section 9 entities and solicit input as appropriate to evaluate whether and how the authorities and capabilities identified pursuant to subsection b i of this section might be employed to support cybersecurity risk management efforts and any obstacles to doing so iii provide a report to the President which may be classified in full or in part as appropriate through the Assistant to the President for Homeland Security and Counterterrorism within 180 days of the date of this order that includes the following VerDate Sep 11 2014 13 23 May 15 2017 Jkt 241001 PO 00000 Frm 00003 Fmt 4790 Sfmt 4790 E FR FM 16MYE1 SGM 16MYE1 22394 Federal Register Vol 82 No 93 Tuesday May 16 2017 Presidential Documents A the authorities and capabilities identified pursuant to subsection b i of this section B the results of the engagement and determination required pursuant to subsection b ii of this section and C findings and recommendations for better supporting the cybersecurity risk management efforts of section 9 entities and iv provide an updated report to the President on an annual basis thereafter c Supporting Transparency in the Marketplace The Secretary of Homeland Security in coordination with the Secretary of Commerce shall provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism that examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities with a focus on publicly traded critical infrastructure entities within 90 days of the date of this order d Resilience Against Botnets and Other Automated Distributed Threats The Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks e g botnets The Secretary of Commerce and the Secretary of Homeland Security shall consult with the Secretary of Defense the Attorney General the Director of the Federal Bureau of Investigation the heads of sector-specific agencies the Chairs of the Federal Communications Commission and Federal Trade Commission other interested agency heads and appropriate stakeholders in carrying out this subsection Within 240 days of the date of this order the Secretary of Commerce and the Secretary of Homeland Security shall make publicly available a preliminary report on this effort Within 1 year of the date of this order the Secretaries shall submit a final version of this report to the President e Assessment of Electricity Disruption Incident Response Capabilities The Secretary of Energy and the Secretary of Homeland Security in consultation with the Director of National Intelligence with State local tribal and territorial governments and with others as appropriate shall jointly assess i the potential scope and duration of a prolonged power outage associated with a significant cyber incident as defined in Presidential Policy Directive 41 of July 26 2016 United States Cyber Incident Coordination against the United States electric subsector pmangrum on DSK3GDR082PROD with PRES DOCS ii the readiness of the United States to manage the consequences of such an incident and iii any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident The assessment shall be provided to the President through the Assistant to the President for Homeland Security and Counterterrorism within 90 days of the date of this order and may be classified in full or in part as appropriate f Department of Defense Warfighting Capabilities and Industrial Base Within 90 days of the date of this order the Secretary of Defense the Secretary of Homeland Security and the Director of the Federal Bureau of Investigation in coordination with the Director of National Intelligence shall provide a report to the President through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism on cybersecurity risks facing the defense VerDate Sep 11 2014 13 23 May 15 2017 Jkt 241001 PO 00000 Frm 00004 Fmt 4790 Sfmt 4790 E FR FM 16MYE1 SGM 16MYE1 Federal Register Vol 82 No 93 Tuesday May 16 2017 Presidential Documents 22395 industrial base including its supply chain and United States military platforms systems networks and capabilities and recommendations for mitigating these risks The report may be classified in full or in part as appropriate Sec 3 Cybersecurity for the Nation a Policy To ensure that the internet remains valuable for future generations it is the policy of the executive branch to promote an open interoperable reliable and secure internet that fosters efficiency innovation communication and economic prosperity while respecting privacy and guarding against disruption fraud and theft Further the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace b Deterrence and Protection Within 90 days of the date of this order the Secretary of State the Secretary of the Treasury the Secretary of Defense the Attorney General the Secretary of Commerce the Secretary of Homeland Security and the United States Trade Representative in coordination with the Director of National Intelligence shall jointly submit a report to the President through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism on the Nation's strategic options for deterring adversaries and better protecting the American people from cyber threats c International Cooperation As a highly connected nation the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section Within 45 days of the date of this order the Secretary of State the Secretary of the Treasury the Secretary of Defense the Secretary of Commerce and the Secretary of Homeland Security in coordination with the Attorney General and the Director of the Federal Bureau of Investigation shall submit reports to the President on their international cybersecurity priorities including those concerning investigation attribution cyber threat information sharing response capacity building and cooperation Within 90 days of the submission of the reports and in coordination with the agency heads listed in this subsection and any other agency heads as appropriate the Secretary of State shall provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism documenting an engagement strategy for international cooperation in cybersecurity d Workforce Development In order to ensure that the United States maintains a long-term cybersecurity advantage i The Secretary of Commerce and the Secretary of Homeland Security in consultation with the Secretary of Defense the Secretary of Labor the Secretary of Education the Director of the Office of Personnel Management and other agencies identified jointly by the Secretary of Commerce and the Secretary of Homeland Security shall pmangrum on DSK3GDR082PROD with PRES DOCS A jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future including cybersecurity-related education curricula training and apprenticeship programs from primary through higher education and B within 120 days of the date of this order provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism with findings and recommendations regarding how to support the growth and sustainment of the Nation's cybersecurity workforce in both the public and private sectors ii The Director of National Intelligence in consultation with the heads of other agencies identified by the Director of National Intelligence shall A review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness and VerDate Sep 11 2014 13 23 May 15 2017 Jkt 241001 PO 00000 Frm 00005 Fmt 4790 Sfmt 4790 E FR FM 16MYE1 SGM 16MYE1 22396 Federal Register Vol 82 No 93 Tuesday May 16 2017 Presidential Documents B within 60 days of the date of this order provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism on the findings of the review carried out pursuant to subsection d ii A of this section iii The Secretary of Defense in coordination with the Secretary of Commerce the Secretary of Homeland Security and the Director of National Intelligence shall A assess the scope and sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in nationalsecurity-related cyber capabilities and B within 150 days of the date of this order provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism with findings and recommendations on the assessment carried out pursuant to subsection d iii A of this section iv The reports described in this subsection may be classified in full or in part as appropriate Sec 4 Definitions For the purposes of this order a The term ''appropriate stakeholders'' means any non-executive-branch person or entity that elects to participate in an open and transparent process established by the Secretary of Commerce and the Secretary of Homeland Security under section 2 d of this order b The term ''information technology'' IT has the meaning given to that term in section 11101 6 of title 40 United States Code and further includes hardware and software systems of agencies that monitor and control physical equipment and processes c The term ''IT architecture'' refers to the integration and implementation of IT within an agency d The term ''network architecture'' refers to the elements of IT architecture that enable or facilitate communications between two or more IT assets Sec 5 General Provisions a Nothing in this order shall be construed to impair or otherwise affect i the authority granted by law to an executive department or agency or the head thereof or ii the functions of the Director of OMB relating to budgetary administrative or legislative proposals b This order shall be implemented consistent with applicable law and subject to the availability of appropriations pmangrum on DSK3GDR082PROD with PRES DOCS c All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods Nothing in this order shall be construed to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence or law enforcement operations VerDate Sep 11 2014 13 23 May 15 2017 Jkt 241001 PO 00000 Frm 00006 Fmt 4790 Sfmt 4790 E FR FM 16MYE1 SGM 16MYE1 Federal Register Vol 82 No 93 Tuesday May 16 2017 Presidential Documents 22397 d This order is not intended to and does not create any right or benefit substantive or procedural enforceable at law or in equity by any party against the United States its departments agencies or entities its officers employees or agents or any other person THE WHITE HOUSE May 11 2017 FR Doc 2017-10004 Filed 5-15-17 8 45 am VerDate Sep 11 2014 19 43 May 15 2017 Jkt 241001 PO 00000 Frm 00007 Fmt 4790 Sfmt 4790 E FR FM 16MYE1 SGM 16MYE1 Trump EPS GPH pmangrum on DSK3GDR082PROD with PRES DOCS Billing code 3295-F7-P                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu