CYBERSECURITY CLIENT ALERT: White House Issues Long-Awaited Cybersecurity Executive Order, New Presidential Directives for Critical Infrastructure

The White House issued a long-awaited Executive Order (EO) “Improving Critical Infrastructure Cybersecurity” which directs the U.S. Department of Homeland Security (DHS) and other agencies to quickly advance efforts to protect key critical infrastructure sectors.

The EO solidifies DHS’s role as the lead on cybersecurity and gives DHS the authority to designate private sector assets as “critical” to the nation’s economic and national security. The White House also issued a new Presidential Policy Directive (PPD) 21 which creates an integrated policy for both physical and cyber infrastructure, changes the designation of what is critical from 18 sectors to 16 and specifically calls out the energy and communications sectors as “uniquely critical” to the functioning of society.

The EO and the release of PPD 21 kick off what we expect to be a vigorous year-long effort by the Administration and the Congress to focus on cybersecurity issues—these are all efforts that will impact the energy, financial services, transportation, communications and health sectors along with government contractors. With the ever-present threats and daily cybersecurity attacks, it is safe to say that the Administration and the Congress will actively pursue these issues this year. Those companies that have not actively engaged on this issue should immediately refocus on what ultimately will be a debate on the legislative, regulatory and compliance process that will affect every company.

The EO focuses on a number of critical areas, including:

  • DHS to Identify Critical Infrastructure at Greatest Risk: Within 150 days, DHS will identify specific aspects of privately owned critical infrastructure where a cybersecurity incident could “reasonably result in catastrophic national effects on public health or safety, economic security, or national security.”
  • DHS to Expand Defense Industrial Base (DIB) Pilot: The DIB pilot will be expanded to other sectors to enable improved real-time information sharing on cyber threat data.
  • DHS to Focus on Cybersecurity Improvements to Critical Infrastructure: DHS will establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure.
  • Cybersecurity Framework: Within 240 days, the National Institute of Standards and Technology (NIST) will coordinate the development of a standards-based framework to reduce cyber risks to critical infrastructure.
  • Voluntary Critical Infrastructure Cybersecurity Program: DHS is directed to establish a voluntary program to support the adoption of the NIST Cybersecurity Framework.
  • Information Sharing: DHS, the Director of National Intelligence and the Attorney General will set up procedures for improved information sharing and processing of security clearances for owners and operators of critical infrastructure.
  • Privacy and Civil Liberties Protections: Core privacy and civil liberties issues will be evaluated in all programs within the EO.
  • Federal Procurement Process: Within 120 days of the EO, the Department of Defense (DOD) and the General Services Administration (GSA), in consultation with the DHS and the Federal Acquisition Regulatory Council, are required to make recommendations to the President on the feasibility, security benefits and relative merits of changing the federal procurement process to create preferences for vendors who meet cybersecurity standards.

PPD 21 replaces Homeland Security Presidential Directive/HSPD-7, Critical Infrastructure Identification which was issued on December 17, 2003.

  • Establish Critical Infrastructure Centers: DHS is to establish two new centers to focus on physical and cyber infrastructure and to better integrate private and federal resources.
  • Evaluate the Existing Public-Private Partnership Models: DHS must conduct an analysis of the existing public-private partnership model and recommend options for improving the effectiveness of this model in both the physical and cyber space.
  • Identify Baseline Data and Systems Requirements for the Federal Government to Enable Efficient Information Exchange: DHS will identify baseline data to enable the efficient exchange of information and intelligence to strengthen the security and resilience of critical infrastructure.
  • Update the National Infrastructure Protection Plan (NIPP) and R&D Plan: DHS must update the NIPP to strengthen the security and resilience of critical infrastructure and to create a matching R&D plan.

It is clear that the EO and the revised PPD could result in substantive changes to policy, regulatory and compliance issues that will affect all companies. This Executive Action makes it clear that all aspects of critical infrastructure need to actively engage with the Administration and Congress to ensure they adequately meet the needs of the private sector. Our team has the legal, legislative, regulatory and compliance expertise to help companies navigate through this process.