Executive Order 13636, issued in February of 2013, called for the development of a “Cybersecurity Framework” that would, inter alia, create voluntary standards for addressing cyber risks. It also directed certain Executive Branch departments to assess the sufficiency of existing regulatory authority to establish requirements based on the Framework, published in February 2014. Following completion of the assessment, last month the White House concluded that the existing regulatory requirements coupled with strong voluntary public-private partnerships are sufficient to mitigate cyber risks. This is a rather surprising conclusion for the Administration to reach after initially seeking legislation that would have authorized it to develop regulations for critical infrastructures. Notably, however, the review focused on only four critical infrastructure sectors ‒ water, health, transportation, and chemical. The press accounts of the assessment have largely missed this key limitation. The key question is, why did the Administration not assess whether regulation was needed for other key critical infrastructures, such as financial services, communications, and energy?