On February 12, 2013, President Obama signed an Executive Order aimed at strengthening the cybersecurity of the nation’s critical infrastructure. The Executive Order, titled “Improving Critical Infrastructure Cybersecurity,” focuses on increasing protection from cyber attacks by (1) requiring federal agencies to share information about cyber threats with U.S. companies and (2) directing the National Institutes of Standards and Technology (NIST) to develop standard practices and procedures to effectively minimize the risk of cyber attacks. As the owners and operators of critical infrastructure, government contractors, and others, will be impacted by the implementation of this Executive Order.
The Executive Order defines “critical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Executive Order focuses on cybersecurity information sharing and the development of a baseline framework to reduce cyber risk to critical infrastructure.
The Executive Order directs the Attorney General, Secretary of Homeland Security, and Director of National Intelligence to produce unclassified reports of cyber threats that identify a specific targeted entity, establish a process to timely provide such unclassified reports to the targeted entity, and provide classified reports to critical infrastructure entities that are authorized to receive them. In addition, the Executive Order directs that the Enhanced Cybersecurity Program (a voluntary information sharing program that assists critical infrastructure owners and operators in protecting their systems from unauthorized access) be expanded so that more critical information owners and operators can participate. As a means to facilitate greater participation in the Enhanced Cybersecurity Program, which includes the dissemination of classified information to participants, the Executive Order requires the Department of Homeland Security to expedite the processing of security clearances to appropriate employees of critical infrastructure owners and operators.
The Executive Order directs NIST to develop a framework to reduce cyber risks to critical infrastructure. This “Cybersecurity Framework” must include standards and procedures that “align policy, business, and technology approaches to address cyber risks.” The Cybersecurity Framework must incorporate cross-sector standards, provide technology neutral guidance, and enable critical infrastructure sectors to remain competitive. NIST is directed to consult with the Secretary of Homeland Security, the National Security Agency and various federal agencies when developing the Cybersecurity Framework. The Cybersecurity Framework will also be subject to a public comment process. According to the Executive Order, the final Cybersecurity Framework will be issued no later than February 12, 2014.
Voluntary Adoption by Private Entities
There will be a voluntary program under which owners and operators of critical infrastructure can adopt the Cybersecurity Framework. Although adoption of the Cybersecurity Framework is not mandated, the provisions in the Executive Order indicate that such adoption is strongly encouraged. The Executive Order requires the Department of Homeland Security and the Departments of the Treasury and Commerce to recommend to the President incentives designed to promote participation in the program. Furthermore, the Executive Order directs federal agencies to report annually to the President the extent to which owners and operators of critical infrastructure facing the greatest risk of a cyber attack are participating in the program.
Adoption by Agencies
Agencies with responsibility for regulating the security of critical infrastructure are directed to review the Cybersecurity Framework and determine whether their current regulations sufficiently protect against cyber risks. If current regulations are found to be inadequate, the agencies are required to propose actions to mitigate cyber risk.
The Executive Order asks the Department of Defense and the General Services Administration, in consultation with the Department of Homeland Security and the Federal Acquisition Regulatory Council, to make recommendations to the President on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” Therefore, it is foreseeable that the Federal Acquisition Regulation could be amended to include cybersecurity standards or certifications. While the promulgation of revised procurement regulations regarding cybersecurity will subject government contractors to uniform standards, there will likely be compliance costs associated with increased cybersecurity requirements.