Assessing Cybersecurity Regulations
Effective regulations are an important tool to protect the security and economic vitality of our nation. The President is committed to simplifying and streamlining regulations while ensuring that the benefits justify the costs. In fact, this Administration has undertaken one of the most significant and transparent reform efforts aimed at eliminating unjustified regulatory costs to date.
In light of this commitment, the President’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” called on Executive Branch agencies to assess whether and how existing cybersecurity regulation could be streamlined and better aligned with the Cybersecurity Framework launched in February 2014. It is important to understand that an Executive Order can only direct Executive Branch agencies, not independent regulators. Much of critical infrastructure is regulated by independent regulators; therefore, the analysis conducted pursuant to EO 13636 represents a limited subset of critical infrastructure sectors: water, health, transportation, and chemical. Independent regulatory agencies may engage in similar analysis but are not required to under this EO.
The EO directs Executive Branch departments and agencies with responsibility for regulating the security of private-sector critical infrastructure to: (1) assess the sufficiency of existing regulatory authority to establish requirements based on the Cybersecurity Framework to address current and projected cyber risks; and (2) identify proposed changes in order to address insufficiencies identified. The Cybersecurity Framework articulates a risk management approach based on best practices and globally recognized standards. It is a voluntary tool that organizations can use to strengthen cyber risk management.
After extensive research, we determined that the following departments and agencies were required to submit reports: Environmental Protection Agency (drinking water and waste-water), Department of Health and Human Services (medical devices, electronic health records, health exchanges), and the Department of Homeland Security (chemical facilities and transportation). I encourage you to read their individual reports located here: DHS, HHS, EPA.
The major outcome is that the Administration’s analysis supports our current voluntary approach to address cyber risk. Most of these departments have responsibility to regulate in general; some have existing cybersecurity-specific regulations, some do not, and some do not have clear authority to regulate for cybersecurity. Additionally, the degree in which the current authorities are used to regulate for cybersecurity ranges from high-level requirements to voluntary guidance. At this time, though, the Administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information.
Now, this doesn’t mean that we don’t have more work to do to secure our critical systems and information throughout the country. Nor does it mean that we can stop working to ensure that regulations as written are clear, streamlined, and harmonized. It does mean that agencies with regulatory authority have determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to those systems. Over the next two years, these departments and agencies will jointly investigate and leverage opportunities to improve the efficiency, clarity, and coordination of existing regulations.
I am greatly encouraged by the progress we have made to date. The threat to our systems and information is dynamic and rapidly evolving; we must build equally agile and responsive capabilities not bound by outdated and inflexible rules and procedures. Industry has demonstrated their commitment to using the voluntary Cybersecurity Framework. We in the federal government are equally committed to removing obstacles and stimulating positive incentives for strengthening cyber risk management across all critical infrastructure sectors.