Back on May 11, President Trump signed an executive order on cyber-security, giving civilian and military agencies a 60-day deadline for reviewing cyber-security posture. As that initial deadline nears, eWEEK reached out to security experts to see what, if any impact the executive order is currently having.
“There has not been any public impact thus far,” Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged account management (PAM) solutions, told eWEEK. “This executive order is making the agencies executive heads accountable and responsible for cyber-security risk, quickly identifying and reporting back the current state of cyber-security.”
Carson said that in his view the executive order is a a gap analysis exercise and it is important to note that it does not improve or prevent cyber-security threats, however it is an important step in the right direction to understand clearly the areas of high risk.
“Right now, risk assessments are being performed and the execution of this will likely be second half of this year once the risks have been identified and reported,” Carson said. “What is lacking in this executive order is a clear cyber-security strategy and incident response. While it helps with the risk assessment, it is only part of what is needed to make a big difference.”
Ken Spinner, VP of Field Engineering at Varonis, a provider of insider threat protection technology, commented that it’s very hard to say whether the executive order is having an impact because there are so many confounding factors.
“Since the executive order was signed, we’ve seen fast-spreading global malware attacks (WannaCry, Petya), specialized malware targeting power grids (CrashOverride), and insiders with top secret clearance leak sensitive information (Reality Winner),” Spinner told eWEEK. “The steady stream of security incidents appears to be doing more to spur governments into action than Trump’s mandate.”
According to John Chirhart, federal technical director at Tenable Network Security, the cyber-security executive order has helped with the very complicated and often debated topic of vulnerability remediation prioritization.
“Historically, agencies have had to rely on their best judgement to determine where to focus their remediation and mitigation efforts,” Chirhart told eWEEK. “But the executive order has helped agencies prioritize their focus on securing areas such as critical infrastructure.”
The cyber-security executive order specifically states that U.S. government agencies should use the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. As part of the Executive Order, government agency heads need to provide a risk management report based on NIST cyber-security framework within 90 days of EO release. The NIST cyber-security framework was first released back in February 2014 as an implementation of a cyber-security executive order issued in 2013 by President Obama.
Chirhard said that the NIST Cyber-security Framework has seen widespread adoption in the private sector because it provides a flexible, prioritized, repeatable, and cost-effective approach to cyber-risk.
“While government agencies are working to adopt the NIST Cyber-security Framework, many have not been able to quickly implement it because of the slow procurement process,” Chirhard said. “Outdated procurement methods also create obstacles for agencies to bring in the people and tools needed to effectively implement the framework.”
Dan Lohrmann, chief security officer at Security Mentor, a provider of security awareness training said that in terms of general adoption, he is seeing more state and local governments, as well as private sector organizations, formally adopting the NIST cyber-security framework as a standard.
While the NIST cyber-security framework provides a guide for best practices to improve security, Thycotic’s Carson warns that it is quickly becoming outdated as technology and threats evolve rapidly. Simon Gibson, Fellow Security Architect at network visibility vendor Gigamon sees the NIST framework used and referenced widely across critical infrastructure and other industry sectors. Gibson also wants to see that NIST keeps the framework up to date to deal with emerging threats.
“As the federal agencies begin to leverage the NIST Framework as part of their existing risk management processes, we urge NIST to update the informative references frequently so that agencies adopt and implement the most up to date and effective security controls,” Gibson said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.