OMB Memorandum M-17-25: Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
From: OMB Memorandum M-17-25
Overview and Purpose
On May 11, 2017, the President signed the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which outlines a number of actions to enhance cybersecurity across Federal agencies and critical infrastructure partners. Section 1 of the Executive Order reinforces the Federal Information Security Modernization Act of 2014 (FISMA) by holding agency heads accountable for managing the cybersecurity risks to their enterprises. This Memorandum provides implementing guidance on actions required in Section 1 of the Executive Order.
Managing Agency and Government-wide Cybersecurity Risks
The Executive Order recognizes the increasing interconnectedness of Federal information and information systems and requires agency heads to ensure appropriate risk management not only for the agency’s enterprise, but also for the Executive Branch as a whole. In particular, agency heads are required to manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a Federal information system or Federal information.1 The Executive Order directs agency heads to produce a risk management report to the Director of Office of Management and Budget (OMB) and the Secretary of the Department of Homeland Security (DHS) within 90 days of its publication.
An effective enterprise risk management program promotes a common understanding for recognizing and describing potential risks that can impact an agency’s mission and the delivery of services to the public.2 Such risks include, but are not limited to, strategic, market, cyber, legal, reputational, political, and a broad range of operational risks such as information security, human capital, business continuity, and related risks.3 Accordingly, the Federal Government is adopting the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) to manage the cybersecurity component of enterprise risk as directed in the Executive Order, consistent with prior OMB memoranda and circulars.
Read Complete OMB Memorandum M-17-25