As part of an ongoing effort to improve the federal government’s cybersecurity practices, President Barack Obama signed two executive orders this week establishing a Federal Privacy Council to be filled by Senior Agency Officials from at least 24 federal agencies, and a Commission on Enhancing National Cybersecurity, to be composed of up to 12 members appointed by the President. The President has proposed $19 billion to be invested in cybersecurity in his most recent budget proposal.
The purpose of the Federal Privacy Council will be to “establish an interagency support structure” to “improve the Government privacy practices of agencies and entities acting on [its] behalf].” The executive order obligates the Director of the Office of Management and Budget to “issue a revised policy on the role and designation of the Senior Agency Officials for Privacy,” and “shall provide guidance on the Senior Agency Official for Privacy’s responsibilities at their agencies, required level of expertise, adequate level of resources, and other matters as determined by the Director.”
The Commission on Enhancing National Cybersecurity, on the other hand, will be part of the Department of Commerce and will provide “detailed recommendations to strengthen cybersecurity in both the public and private sectors[.]” The Commission is directed to “identify and study actions necessary to further improve cybersecurity awareness, risk management, and adoption of best practices throughout the private sector and at all levels of government.”
The executive orders are part of the President’s Cybersecurity National Action Plan (“CNAP”), which he characterizes as “the capstone of more than seven years of effort” on the issue of cybersecurity. CNAP will include several additional initiatives, including the creation of a National Center for Cybersecurity Resilience “where companies and sector-wide organizations can test the security of systems in a contained environment” and a “Cybersecurity Assurance Program” to “test and certify networked devices within the ‘Internet of Things.’”
The new programs may present both new legal challenges for privacy compliance and opportunities for coordination of cybersecurity efforts. The Office of Management and Budget plans to issue further guidance on the new privacy initiative within the next 120 days.