OMB in memo M-17-25 has issued guidance to agencies on carrying out President Trump’s recent executive order on government cybersecurity, saying the order “recognizes the increasing interconnectedness of federal information and information systems and requires agency heads to ensure appropriate risk management not only for the agency’s enterprise, but also for the executive branch as a whole.”
“In particular, agency heads are required to manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a federal information system or federal information,” it says.
Among the requirements are that agencies produce a risk management report to OMB and DHS within 90 days. “A critical component of implementing the executive order, as well as managing cybersecurity risk in general, is for agencies to understand risk in terms of agency mission and their ability to deliver necessary public services,” it says.
The reports should include, but are not limited to, strategic, market, cyber, legal, reputational, political, and a broad range of operational risks such as information security, human capital, business continuity, and related risks, the memo says.
Other responsibilities include that agencies describe planned actions to comply with the Framework for Improving Critical Infrastructure Cybersecurity.