19 Feb 13. Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity” that President Obama issued last Tuesday is published in this morning’s Federal Register. This Executive Order, together with a related Presidential Policy Directive/PPD-21 on Critical Infrastructure Security and Resilience, forms the centerpiece of the Administration’s approach to cyber security.
The Executive Order strengthens the U.S. Government’s partnership with the private sector to address these threats through:
* Authorizing new information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies. The Executive Order requires Federal agencies to produce unclassified reports of threats to relevant U.S. companies and requires the reports to be shared in a timely manner. The Order also expands the Enhanced Cybersecurity Services program beyond the Defense Industrial Base, allowing companies in other sectors to participate.
* Developing a Cybersecurity Framework. The Executive Order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure. NIST will work collaboratively with industry to develop the framework and will incorporate existing international standards, practices, and procedures wherever possible. To promote technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services.
* Establishing a voluntary program to promote the adoption of the Framework. The Department of Homeland Security will work with Sector-Specific Agencies and the Sector Coordinating Councils that represent industry to develop a program to assist companies with implementing the framework and to identify incentives for adoption of the framework. Additionally, Federal executive branch civilian agencies will adopt the framework to enhance the protection of their systems.
* Calling for a review of existing cybersecurity regulation. Some sectors – but not all – of our most critical infrastructure already fall under existing cybersecurity regulation. For those sectors, regulatory agencies will review the Cybersecurity Framework and determine if existing regulatory requirements provide sufficient cybersecurity. If the existing regulations are insufficient, then agencies will propose new, cost-effective regulations based upon the Cybersecurity Framework. Regulatory agencies will use their existing processes to consult with their regulated companies to develop and propose any new regulations.
* Including strong privacy and civil liberties protections based on the Fair Information Practice Principles. Agencies are required to incorporate privacy and civil liberties safeguards in their cybersecurity activities under this order. Those safeguards will be based upon the Fair Information Practice Principles (FIPPs) and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public.
The Presidential Policy Directive:
* Directs the government to identify the functional relationships across the government related to critical infrastructure and work to improve the effectiveness of the existing public-private partnership with owners and operators and state, local, tribal and territorial partners in both the physical and cyber space.
* Directs the government to develop an efficient situational awareness capability that addresses both the physical and cyber implications of an incident and ensures further integration and awareness throughout the government and enables responsible sharing of the implications with stakeholders.
* Directs the government to address other information sharing priorities, including speeding up the