On the other side of the fence, computer security product makers have broadly welcomed the policy, which also calls on government and industry to reduce the threat from automated attacks on the internet.
The delayed cybersecurity executive order aims to bolster the government's information security while protecting the nation's critical infrastructure from cyberattacks. The order is important because it sets the direction for US infosec policy in government and beyond. Unlike many of President Trump's other policy initiatives, the order is largely uncontroversial and might (whisper this gently) be seen largely as a continuation of measures former President Barrack Obama was putting into place.
Kevin Davis, VP of public sector at Splunk, said: "Improving cybersecurity is one of the few items both sides of the aisle can reach across and agree on, and today's executive order is a good, bipartisan step to better protect our government's networks and critical infrastructure."
"Hackers' preferred attack methods against the public and private sector change daily, and Trump's executive order is a good reflection of the need for adaptability in today's threatscape. And as methods of cybercrime continue to evolve, it will be important to government agencies to rely on data analysis, to quantify the risk so they can adapt appropriately," he added.
Some experts argue that the order will spur an overdue rethink about federal IT security strategies.
Davis explained that the order differs in several important respects from the draft order floated by the Trump administration back in January.
"The draft order gave DoD [US Department of Defense] a very muscular role in almost every component of the original plan," Davis said. "In the signed order issued today, DoD is tasked with contributing to the plan in areas more in line with its war-fighting capabilities.
"Similarly, the earlier order sought to explore ways to promote cyber resiliency in the private sector by creating financial incentives (ie, tax breaks) to spend on cybersecurity. The signed order turns to market transparency to encourage critical infrastructure entities to properly mitigate cyber risks. This approach transfers the costs and risks of improper planning to the infrastructure owners and investors and away from the taxpayer," he added.
The buck stops there
The order means federal agency heads will be held accountable for the effective management of the cyber risk within their agencies, something that was always an implicit duty but is now an explicit responsibility. Agency bosses will be obliged to implement the National Institute of Standards and Technology (NIST) risk management framework to develop assessments and plans. According to the executive order, agencies have 90 days to report back on risks and provide strategic plans for mitigation that work within budgetary constraints.
The executive order promotes network consolidation and shared IT services – a push towards streamlining services and keeping costs down. Increased consolidation will make it easier to apply a common (hopefully more robust) security architecture. In addition, the order promotes action against networks of compromised computers or other devices (botnets).
The order lays out a roadmap toward shared services and the cloud for applications including email. Companies providing security solutions in the cloud may see an uptick in federal business as these preferences translate to projects and spending, according to industry experts.
Stephen Coty, chief security evangelist at Alert Logic in Texas, said: "This executive order is using a risk-based approach to cybersecurity for the US government and its suppliers. The order is mandating that all departments complete full technology audits and put together a plan for improvement and modernization of their current IT infrastructure.
"They identify unmitigated vulnerabilities as one of the highest risks facing the executive departments and other agencies. These known vulnerabilities that they've identified include operating systems and hardware that are beyond the vendor support lifecycle. They also include declining to implement a vendor recommendation on patching and configuration guidance. All agency heads will be held accountable by the President for implementing these risk management measures."