White House Cybersecurity Executive Order
Feb. 14, 2013
NCSL is encouraged by President Obama’s mention of comprehensive cybersecurity legislation in his State of the Union address on Feb. 12. As states execute many of the programs overseen by federal agencies, it is critical that states are consulted in the creation of this legislation. Given the already tight budgets many states face, it is also important that the federal government avoid unfunded mandates and preemptions. Over the past several months, NCSL has been working with other state and local organizations to urge Congress to create and pass comprehensive cybersecurity legislation.
On Feb. 12, the president signed an Executive Order on Improving Critical Infrastructure Cybersecurity to establish a broad public-private cyberthreat information sharing process as well as voluntary cybersecurity standards for the private sector. Below is an overview of the executive order.
Cybersecurity Information Sharing
The president calls on the secretary of Homeland Security and the director of National Intelligence to each issue instructions to ensure production of unclassified reports of cyber threats within 120 days of the release of the order. These instructions are to address the need to protect intelligence and law enforcement sources. The secretary and the attorney general are to also establish a process to rapidly disseminate the reports.
Also within 120 days of release, the secretary in collaboration with the secretary of Defense are to establish procedures to expand the Enhanced Cybersecurity Services Program to all infrastructure sectors. This voluntary program provides “classified cyber-threat and technical information” to eligible parties.
Privacy and Civil Liberties Protections
Measures will be taken to ensure privacy and civil liberties will be incorporated into such activities based upon the Fair Information Practice Principles and related privacy and civil liberties policies.
A consultation process will be established by the secretary of Homeland Security to coordinate improvements to the cybersecurity of critical infrastructure incorporating advice from state, local, territorial and tribal governments and universities.
Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
The National Institute of Standards and Technologies (NIST) is charged with developing a framework to reduce cyber risks to critical infrastructure known as the “Cybersecurity Framework.” This framework will include standards, methodologies , procedures and processes while incorporating voluntary consensus standards and industry best practices.
Within 240 days of release, the director of NIST is to publish a preliminary version of the Cybersecurity Framework and within one year of the release, the director is to publish a final version after coordination with the secretary.
Voluntary Critical Infrastructure Cybersecurity Program
A voluntary program is to be established by the secretary of Homeland Security, in coordination with sector-specific agencies, to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other entities. The secretary will also establish incentives to promote participation in the program.
Identification of Critical Infrastructure at Greatest Risk
Within 150 days of release and with consultation from the heads of sector-specific agencies, the secretary is directed to identify critical infrastructure where a potential cybersecurity incident could result in catastrophic local or national effects. This list is to be updated and provided to the president on an annual basis. The secretary is also directed to develop a process for other relevant stakeholders assist in making identifications.
Adoption of Framework
Agencies with responsibility for regulating the security of critical infrastructure will work with DHS, Office of Management and Budget (OMB), and the National Security Staff to review the preliminary Cybersecurity Framework. They will determine if present cybersecurity regulatory requirements address current and projected risks. These agencies shall submit a report to the president based upon the Cybersecurity Framework identifying existing authorities and any additional authorities required to sufficiently address current and projected cyber risks to critical infrastructure. Agencies shall propose “prioritized, risk-based, efficient, and coordinated actions” to mitigate cyber risk if current regulatory requirements are proven to be inadequate.
Agencies, within two years after publication of the final framework and in conference with owners and operators of critical infrastructure, shall report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements, and make recommendations for additional actions, to minimize or eliminate such requirements.
The president also signed a Presidential Policy Directive on Critical Infrastructure and Resilience to advance a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.