On February 9, 2016, the Obama administration released its final budget, which includes a request for $19 billion to fund the Cybersecurity National Action Plan (CNAP). The CNAP sets forth a variety of cybersecurity and privacy initiatives, the headliners of which are detailed in two executive orders released alongside the budget.

First, Executive Order 13718 establishes a twelve member Commission on Enhancing National Cybersecurity (Commission). In short, the Commission is charged with making recommendations to strengthen cybersecurity in the public and private sectors by studying the behavior of technology users and providers, improving awareness of cybersecurity risks and improving access to the knowledge needed to make informed risk management decisions. Specifically, by December 1, 2016, the Commission is to develop recommendations in at least five substantive areas:

  • bolstering protection of systems and data, including through the advancement of identity management;
  • stabilizing security in the context of the Internet of Things;
  • identifying research and development initiatives that can enhance cybersecurity;educating and training the cybersecurity workforce in the federal government and the private sector; and
  • improving cybersecurity education in the general public.

Second, Executive Order 13719 focuses on improving the federal government’s ability to protect the privacy of those individuals about whom it collects information. To do so, it establishes the Federal Privacy Council (Privacy Council) to act as an interagency support structure and to ensure consistent implementation of privacy policy across the federal government. The Privacy Council will be composed of the Senior Agency Official for Privacy from each of twenty-four named executive departments and federal agencies. It is charged with developing recommendations for government privacy policies, coordinating privacy best practices between agencies and assessing how to meet the federal government’s hiring and training needs with respect to privacy matters. 

In his Budget Message President Obama recognized the need to take “bold, aggressive action” on cybersecurity by empowering government, companies and individuals while protecting privacy. Indeed, the executive actions are well-timed, as they come just one day after the latest breach of federal employees’ personal information. In light of persistent cybersecurity risks, companies should monitor the recommendations of the Commission and the Privacy Council and ensure their actions are consistent with best practices.