President Orders Cybersecurity Safeguards for Classified Computer Networks
On October 7, 2011, President Obama signed an Executive Order (“E.O.”) - mandating the creation of oversight bodies tasked with coordinating the protection of classified information residing on computer networks from internal and external cybersecurity threats. The E.O. seeks to close existing security gaps by creating new responsible sharing and safeguarding policies and standards that will apply to all agencies that operate or access classified computer networks, as well as government contractors that operate or access classified computer networks.
Specifically, the E.O. seeks the creation of policies and standards for (1) ensuring information security, personnel security, and systems security; (2) addressing internal and external threats and vulnerabilities; and (3) sharing classified information both within and outside the federal government. The E.O. endorses the findings and recommendations of an interagency committee established to review government-wide policies and practices for handling classified information after the unlawful disclosure of classified information by WikiLeaks in 2010. The E.O. takes five key actions to formalize the existing committee and counter such threats:
- Establishes Senior Information Sharing and Safeguarding Steering Committee to coordinate interagency development and implementation of policies for sharing and safeguarding of classified information on computer networks. The Office of Management and Budget and the National Security Staff shall co-chair the Committee, with representation from the Departments of State, Defense, Justice, Energy, and Homeland Security, the Director of National Intelligence, the Central Intelligence Agency, and the Information Security Oversight Office of the National Archives.
- Creates the Classified Information Sharing and Safeguarding Office tasked with providing expert, fulltime, sustained focus on safeguarding classified information on computer networks.
- Authorizes Senior Representatives of the Department of Defense and the National Security Agency to serve jointly as the Executive Agent for Safeguarding Classified Information on Computer Networks under National Security Directive/NSD-42 and tasks the Executive Agent with, among other things, conducting independent assessments of agency compliance with safeguarding policies and standards, and reporting such results to the Steering Committee.
- Creates an Insider Threat Task Force to develop a government-wide insider threat detection and prevention program to reduce the potential for and prevent the compromise or unauthorized disclosure of classified information.
- Defines individual agency responsibility for overseeing classified information sharing and safeguarding efforts within the agency. The heads of agencies that operate or access classified information networks must designate a senior official charged with overseeing such efforts; implement an insider threat reduction and prevention program consistent with the recommendations of the insider threat task force; perform security assessments; and provide access to the Executive Agent and Insider Threat Task Force to review compliance with any established policies and standard.
Although the E.O. focuses on ensuring agency accountability and uniform standards across the federal government, contractors who currently have or regularly require access to classified information networks should continue to monitor the efforts of each of these new oversight organizations, consider participating in any public rulemaking opportunities, and be prepared for additional compliance obligations stemming from any proposed policies or procedures. Contractors may also want to assess the impact, if any, increased access control requirements or audit requirements may have upon their day to day contract operations.
McKenna Long & Aldridge will continue monitoring key developments in each of these areas and provide periodic updates.