President Donald Trump has signed an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure.
In this context, cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents.
The executive order directly addresses what it calls “antiquated and difficult–to-defend IT.” Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies.
Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.
Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST), or any successor document, to manage the agency’s cybersecurity risk.
Agency heads will be held accountable for cybersecurity implementation, and will no longer be allowed to pass the blame to IT vendors.
The full text of the executive order can be found here.