On May 11th, Donald Trump signed his first executive order on CyberSecurity. You can find the full text of the order at our Alliance partner CyberSaint's blog here.
Feedback within the security industry has been generally positive, noting:
1. A common standard and framework is a good thing.
Having a common set of standards to measure government departments against, and also other impacted bodies (commercial critical infrastructure, organizations receiving federal government funding) is a good thing. And rather than invent yet another new standard, the EO wisely chooses to leverage an existing NIST standard. Having a common standard will allow for maturation of toolsets to support the process, allow sharing of best practices, etc.
2. NIST isn't a bad choice.
There's only so many widely used standards in cyber security - ISO27001/etc, NIST standards, SOC standards. NIST is fairly comprehensive, and is mapped to all sorts of other security standards that might be in use already in various sectors (NERC/PCI/etc). The EO also allows for successor versions. No standard is perfect but personally I've seen NIST pick up momentum in the last 12-18 months outside of mandated actions, which suggests organizations independently think it is a good choice to base security programs and strategies on.
3. Setting a tight deadline, budgetary requirements and executive accountability makes sense.
Being explicit as to whom is responsible (agency heads), defining a process for budgets, reviews, timelines - will make it difficult for agencies to sit on their problems. It represents a reasonable work effort, but in agencies that have well-run programs should be a straight forward task, and for agencies without well run programs - well, we'll all know which those fairly quickly.
I'd love to hear your thoughts and comments on the Executive Order (be civil). Do you think Canada or other jurisdictions should undertake similar actions? Does it go far enough? Do you think we'll see real change as a result of this EO?
If you're on the journey to adopt and report on security standards, get in touch, we likely have tools and people to help you chart a course.