US President Donald Trump signed an executive order on cybersecurity on Thursday, outlining plans to address the cybersecurity of federal networks, the cybersecurity of critical infrastructure , the cybersecurity of the nation as a whole, and how to ensure that the United States achieves long-term excellence in cybersecurity.

Tom Bossert, President Trump’s homeland security adviser, made the announcement on Thursday afternoon. Bossert summed up what he considers the three most important sections of the EO in order of priority:

  1. Protect federal networks using the NIST Framework
  2. Mandate federal IT to move to the cloud
  3. Centralize federal IT as one enterprise network

The biggest surprise in the plan is the move to the cloud.

“We spend a lot of time and inordinate amount of money protecting antiquated and outdated systems. We saw that with the OPM hack and other things,” said Bossert. “From this point forward, the President has issued a preference in federal procurement in federal IT for shared systems. We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture.”

SEE: Guidelines for building security policies (Tech Pro Research)

The cybersecurity executive order has been reported and awaited for over three months. Trump made cybersecurity improvements part of his platform as a presidential candidate, and the issue also took center stage with the alleged hacking of Hillary Clinton’s campaign and the Democratic National Committee during the election. The issue took a political turn on Tuesday when Trump fired FBI director James Comey, who was leading an investigation into Russia’s interference in the election.

The full text of the executive order is available and it states, “The executive branch has for too long accepted antiquated and difficult-to-defend IT.”

One of the key themes of Trump’s approach to cybersecurity in the US government is that the heads of each individual agency will be held responsible for the cybersecurity of his or her agency. They will be responsible for preparing reviews and plans to guard their agencies against attacks.

Here are the core elements of the executive order:

1. Vulnerabilities

A review of US cyber vulnerabilities shall take place immediately. Within 90 days, recommendations for how to best protect the US national security systems must be provided by way of the Secretary of Defense; and recommendations for enhancing civilian federal government, public, and private sector infrastructure must be provided to the president by the Secretary of Homeland Security.

2. Adversaries

The US Director of National Intelligence will be responsible for delivering a review of the top cybersecurity adversaries of the US to President Trump within 90 days of the executive order. This review aims to identify the adversaries, as well as list their vulnerabilities and capabilities.

SEE: NSA chief: This is what a worst-case cyberattack scenario looks like (ZDNet)

3. Capabilities

Another review will take a look at the cyber capabilities of the NSA, the Department of Defense, and the Department of Homeland Security. It will identify which capabilities need improvement to better protect the critical infrastructure of the US. Additionally, another review conducted by the Secretary of Defense and Secretary of Homeland Security will look at cybersecurity education in the US and how to best train more cybersecurity professionals for the future.

4. Private sector

The Secretary of Commerce and the Secretary of Homeland Security will have 120 days to deliver a report on options that are available to incentivize private sector organizations to adopt better cybersecurity practices, including improved training and workforce development.