Presidential Documents
22391
Federal Register / Vol. 82, No. 93 / Tuesday, May 16, 2017 / Presidential Documents
Executive Order 13800 of May 11, 2017
Strengthening the Cybersecurity of Federal Networks and
Critical Infrastructure
By the authority vested in me as President by the Constitution and the
laws of the United States of America, and to protect American innovation
and values, it is hereby ordered as follows:
Section 1. Cybersecurity of Federal Networks.
(a) Policy. The executive branch operates its information technology (IT)
on behalf of the American people. Its IT and data should be secured respon-
sibly using all United States Government capabilities. The President will
hold heads of executive departments and agencies (agency heads) accountable
for managing cybersecurity risk to their enterprises. In addition, because
risk management decisions made by agency heads can affect the risk to
the executive branch as a whole, and to national security, it is also the
policy of the United States to manage cybersecurity risk as an executive
branch enterprise.
(b) Findings.
(i) Cybersecurity risk management comprises the full range of activities
undertaken to protect IT and data from unauthorized access and other
cyber threats, to maintain awareness of cyber threats, to detect anomalies
and incidents adversely affecting IT and data, and to mitigate the impact
of, respond to, and recover from incidents. Information sharing facilitates
and supports all of these activities.
(ii) The executive branch has for too long accepted antiquated and difficult-
to-defend IT.
(iii) Effective risk management involves more than just protecting IT and
data currently in place. It also requires planning so that maintenance,
improvements, and modernization occur in a coordinated way and with
appropriate regularity.
(iv) Known but unmitigated vulnerabilities are among the highest cyberse-
curity risks faced by executive departments and agencies (agencies). Known
vulnerabilities include using operating systems or hardware beyond the
vendor’s support lifecycle, declining to implement a vendor’s security
patch, or failing to execute security-specific configuration guidance.
(v) Effective risk management requires agency heads to lead integrated
teams of senior executives with expertise in IT, security, budgeting, acquisi-
tion, law, privacy, and human resources.
(c) Risk Management.
(i) Agency heads will be held accountable by the President for imple-
menting risk management measures commensurate with the risk and mag-
nitude of the harm that would result from unauthorized access, use, disclo-
sure, disruption, modification, or destruction of IT and data. They will
also be held accountable by the President for ensuring that cybersecurity
risk management processes are aligned with strategic, operational, and
budgetary planning processes, in accordance with chapter 35, subchapter
II of title 44, United States Code.
VerDate Sep<11>2014 13:23 May 15, 2017 Jkt 241001 PO 00000 Frm 00001 Fmt 4790 Sfmt 4790 E:\FR\FM\16MYE1.SGM 16MYE1
pmangrum on DSK3GDR082PROD with PRES DOCS
