President Donald Trump on May 11 issued a new executive order designed to strengthen the nation’s federal cybersecurity networks and critical infrastructure. The move generally received positive reaction from the financial services industry, but with some credit union groups voiced reservations about establishing nationwide cybersecurity standards.
The executive order focused on three major areas: cybersecurity of federal networks, cybersecurity of critical infrastructure, and cybersecurity for the nation.
The executive order requires federal agencies to use the National Institute of Standards and Technology’s cybersecurity framework to manage their cybersecurity risk. It also directs agencies to provide a cybersecurity risk management report to the Secretary of Homeland Secretary and Director of the Office of Management and Budget within 90 days.
The order also directs the Secretary of Homeland Security and Secretary of Commerce to examine the sufficiency of existing federal policies and practices to “promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities” within 90 days. These agencies would then identify and promote action by appropriate stakeholders to “improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (i.e., botnets).”
In addition, the order would require the Secretary of Commerce and Secretary of Homeland Security, in conjunction with other federal agencies, to jointly assess “the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future.”
The American Bankers Association issued a May 11 news release applauding the presidential order.
“The executive order will enhance the security of government systems and help protect our critical financial infrastructure — and ultimately bank customers — through enhanced information sharing and greater cross-industry collaboration,” ABA President and CEO Rob Nichols said in the release.
The Credit Union National Association said in a statement it generally supports the use of the NIST’s cybersecurity framework but is “concerned that mandatory use by federal agencies could eventually lead to making it a mandatory standard for financial institutions.”
“It should not create additional requirements, not should it apply a one-size-fits-all approach for credit unions to demonstrate readiness,” the CUNA statement said.
The National Association of Federally Insured Credit Unions said in a statement that many of its member credit unions have used and benefited from NIST’s cybersecurity framework, but the group also cautioned against establishing a nationwide industry cybersecurity standard. “The association has encouraged NIST to work with other regulators and industry stakeholders to clarify how its framework should be used or adopted, while emphasizing that there is no one-size-fits-all approach to cybersecurity,” the NAFCU statement said.
To read more about the executive order, click here.