Three Executive Branch federal agencies crucial to critical infrastructure protection will be allowed to continue to voluntarily assess cyber risk, rather than force the development and implementation of additional regulations.

The White House yesterday released its conclusions as they relate to Executive Order 13636, signed in February by President Obama. Agencies under the Executive Branch were mandated by the EO to assess whether existing regulations are sufficient to secure critical infrastructure, and identify weak areas to be addressed. The exercise was an effort to streamline regulations and align them with the Framework for Improving Critical Infrastructure Security, announced two days after EO 13636. The cybersecurity framework was lauded by a number of utilities, financial services organizations and service providers as comprehensive guidance to be used to establish and maintain critical infrastructure security.

Michael Daniel, cybersecurity coordinator and special assistant to the president, said in a statement that the Obama administration supports the current voluntary approach to cyber risk management. The three departments mandated to self-assess and report to the White House were the Department of Homeland Security, Environmental Protection Agency and Department of Health and Human Services. Those three agencies have oversight on everything from chemical facilities, to drinking water, to health exchanges.

“At this time, though, the Administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information,” Daniel said in a statement, adding that in the next two years, those agencies will coordinate to improve existing regulations. “Agencies with regulatory authority have determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to those systems.”

To a certain extent, the government’s hands are tied with regard to critical infrastructure security since so many utilities and providers are privately owned. The Executive Branch agencies were encouraged to beef up private-sector partnerships in order to better share threat and mitigation information.

The EPA, for example, has regulatory authority over critical infrastructure in the water and wastewater systems sector, and can establish cybersecurity requirements for public drinking water systems. The industrial control systems and networks that monitor water and sewage treatment processes, in particular, could be tempting targets for sabotage or terrorism. In its report to the White House, the agencies describes voluntary actions it has taken and has established going forward to preserve the integrity and resilience of water system networks.

Similarly, Health and Human Services, with oversight on electronic health records and medical device security, also explained in its report its partnership programs available to the private sector, as well as its alliance with the Food and Drug Administration on medical device security, and described its incident response plan in the event of an attack on the department network.

“Effective regulations are an important tool to protect the security and economic vitality of our nation,” Daniel said. “The President is committed to simplifying and streamlining regulations while ensuring that the benefits justify the costs.”

Categories: Critical Infrastructure, Government

Comments (3)

  1. Andrew

    Kinda funny how HHS is in charge of HIPAA and other electronic health record privacy/security enforcement and yet does not have to follow cybersecurity regulations. Another case of “do as I say, not as I do.”

    • Spork

      You’re misunderstanding who is the regulator and who is being regulated. If they were to force compliance, HHS would be imposing new regulations on the health industry **IN ADDITION** to HIPAA. HHS is not the one being regulated.

  2. Rob R

    This headline is unclear. Do the Federal agencies get to ignore the regulations or do they push them down to lower-level agencies and contractors? After reading the article, it is less clear.

Comments are closed.