The above-captioned Executive Order signed yesterday was developed to manage cybersecurity risks to critical infrastructure, and addresses two key issues: information sharing and development of a cybersecurity framework.
Information Sharing
Under this Executive Order, the Government will expand current information sharing responsibilities. These include the development of non-classified reports on threats and efficient dissemination of classified reports to appropriate individuals.
In addition, the process of issuing security clearances to certain personnel will be expedited, and the Secretary of Homeland Security will increase the programs for private sector subject matter experts into Federal service on a temporary basis. This includes the Defense Industrial Base, which will now be open to additional sectors. The Secretary of Homeland Security will establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure. All policies will be reviewed by the privacy office of DHS.
Cybersecurity Framework
The National Institute of Standards and Technology (NIST) will lead the development of a Cybersecurity Framework to include standards, methodologies, procedures, and processes to address cyber risk. NIST will engage in an open review and comment process.
DHS and Sector Specific Agencies (see prev. post for explanation) will establish a voluntary program to support the adoption of the Cybersecurity Framework. SSAs will report annually to the President how institutions identified at greatest risk (as determined by DHS with input from SSAs), are complying with the Cybersecurity Framework. Institutions identified at greatest risk will be notified confidentially.
DHS will coordinate and establish incentives to promote participation in the Program. Agencies with responsibility for regulating the security of critical infrastructure will work with DHS, the Office of Management and Budget (OMB) and National Security Staff to review the preliminary Cybersecurity Program and determine if current requirements are sufficient. The regulatory agencies will provide a report as to their ability to regulate in this space. If current regulatory requirements are deemed insufficient, agencies will propose actions to mitigate cyber risk. Independent regulatory agencies are encouraged to participate in the consultative process.
Deadlines:
- 120 days – Attorney General, Secretary of Homeland Security, and Director of National Intelligence will issue instructions releasing unclassified reports of cyber threats.
- 120 days – Secretary of Homeland Security and Secretary of Defense will establish procedures to expand the Enhanced Cybersecurity Services program.
- 120 days – DHS, Treasury and Commerce shall make recommendations of a set of incentives to encourage participation in the Program.
- 120 days – Department of Defense, General Services Administration and Federal Acquisition Regulatory Council report on feasibility of including security standards into acquisition planning and contract administration.
- 150 days – DHS will identify critical infrastructure at greatest risk.
- 240 days – NIST to provide a preliminary version of the Cybersecurity Framework
- 90 days of release of preliminary – Regulatory agencies submit a report to the President whether they have authority to establish requirements based on the Framework.
- 90 days release of final – If current regulatory requirements are deemed insufficient, regulatory agencies shall propose actions to mitigate cyber risk.