The summary of the new Executive Order is a bit of a letdown:

Government agencies must complete a risk management report within 90 days. The risk report should align with NIST.

Outside of those with a risk fetish, this new EO probably isn’t that exciting from the perspective of any near-term cybersecurity transformation. That said, there are some aspects worth mentioning:

  • Cybersecurity is now a multi-agency public policy issue driven by the Executive Branch. The Department of Homeland Security, Office of Management and Budget, Department of Commerce, Department of Education, Department of Labor, and Office Personnel Management are all mentioned in the order.
  • The government wants to go shared services – including email, cloud, and cybersecurity services. The President requires a specific report on the costs related to modernizing government IT and cybersecurity by utilizing shared services.
  • Cybersecurity, services, and innovation are tied together with the order placing the Director of the American Technology Council as one primary stakeholder for the report modernizing IT and cybersecurity.
  • The order emphasizes workforce development as a key component of the United States cybersecurity advantage. Within 120 days the order requires the President receive a report on how to support the growth and sustainment of cybersecurity education.

Does the order change much? Not really.

Is it worth getting excited over? Absolutely, for those that felt the government had too few reports and committees.

For security practitioners? Probably not, but we are a cynical bunch by trade. It isn't transformative, but it does show incremental improvement by existing.

Then again, cybersecurity requirements for accepting credit cards are still tougher (and more enforceable) than ones for providing electricity….