Fairly well done, Mr. President. The order is addressed to people who report to you and written in the active voice. It tells them clearly and directly what they are expected to do. It fixes responsibility, accountability, and schedules. It requires measurement and reporting. It does not increase the power of the government to do anything, for example regulate or control privately owned infrastructure, that it is not already empowered to do. It articulates clear limits on what is intended. It also specifies self-corrective measures.
However, while it requires that actions should be “risk based,” it fails to establish or articulate the level of risk tolerance. Instead, it leaves this determination to the various agencies of the government. One must be concerned that the acceptable level will be poorly articulated in some cases and chosen for the benefit of the agency in others.
Part of the problem that the order sets out to address is that the private owners of the infrastructure are each choosing their own level of risk. This results in over spending by some and under spending by others. This is clearly inefficient. Think of a fence that is very high in some places but can be stepped over in others.
This has been the problem with government security from the day one. Instead of establishing an objective level of risk, the government relies upon the owner/author of a document, file, message, or other data object, to specify its “classification,” that is, the set of protective measures to be implemented and paid for by others. This results in "@least common" security. That is why the government sets such a poor example of security.
All in all, this is a good first effort. It is not likely to do any harm. However, the problem that it addresses is deeply rooted in culture and we know from bitter experience that culture is resistant to change. However, Mothers Against Drunk (drinking and) Driving (MADD) and the anti-smoking campaign lend hope that we can do it.