GOVERNMENT IT REPORT New Cybersecurity Policy Will Impact Federal IT Market

GOVERNMENT IT REPORT New Cybersecurity Policy Will Impact Federal IT Market 620 390 C-Suite Network

Federal agencies already under the gun to modernize their information technology capabilities have a new set of standards to meet as a result of an executive order President Donald Trump issued this spring. The directive not only will affect agency managers in their IT operations and acquisition activities, but also will have a significant effect on IT vendors.

The Trump initiative “adds another important piece to the U.S. federal IT modernization puzzle,” said Katell Thielemann, research vice president at Gartner.

“Various parts of the executive order will have a direct impact on the U.S. federal market,” she wrote in an 18-page briefing on the program.

A key element of the order is that responsibility for cyberprotection has been elevated to the level of cabinet officers and the heads of various agencies rather than residing with their IT or cybersecurity officers.

“The President will hold heads of executive departments and agencies accountable for managing cybersecurity risk to their enterprises,” reads the executive order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” issued on May 11.

Agency heads will be held accountable to the president “for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data,” it states.

Call for Swift Action

The order requires agencies to comply “immediately” with several specific mandates:

  • Each agency shall use the “Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. The framework was developed by NIST generally for private sector use and has been widely adopted not only by critical infrastructure companies but also by a wide range of businesses.
  • Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud and cybersecurity services.

Agencies must deliver a report by early August on their cyber-risk mitigation and acceptance choices, as well as their plans to implement the NIST framework. After reviewing the reports, the Department of Homeland Security and the Office of Management and Budget must submit a joint plan for the cyberprotection of the executive branch enterprise by early October.

The emphasis on “executive branch enterprise” is a clear statement of policy that cybersecurity protection now is considered a government-wide goal, versus isolated agency efforts.

The executive order also links cyberprotection to the goal of moving faster to modernize federal IT operations in general.

“Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture,” says the executive order.

To advance IT performance, the order requires the director of the American Technology Council to provide a report to the president, also by early August, “regarding modernization of federal IT.”

The White House established the ATC prior to issuance of the executive order to “coordinate the vision, strategy, and direction for the federal government’s use of information technology and the delivery of services through information technology.”

As a follow-up to creating the ATC, President Trump met with…