The White House Is Finalizing An Executive Order On Cybersecurity


With Capitol Hill and the media both focusing on the “fiscal cliff,” the White House has quietly moved one step closer to issuing an executive order (“EO”) on cybersecurity.
In a recently leaked version of the draft order, the White House has added several provisions that are the direct result of meetings with private sector leaders. The draft EO calls for cooperation and information sharing between the private sector and government. However, it is already catching criticism for what some experts say are incentives that may force some companies to participate. 
The EO would give the Secretary of Homeland Security 150 days to identify critical infrastructure where a cyber incident “could reasonably result in a debilitating impact on national security, national economic security, or national public health and safety.” While this language is a bit ambiguous, healthcare organizations, financial institutions, and energy companies are likely to be deemed as “critical” and therefore should pay close attention to the developments surrounding this EO.
The EO also orders the National Institute of Standards and Technology (NIST) to create something called the “Cybersecurity Framework” Presumably this will be a set of best practices or industry standards. The EO only gives the NIST 240 days to publish a preliminary version of its Cybersecurity Framework. Anyone familiar with the federal government knows that the bureaucracy is ill-suited to move that quickly but even at that pace, whatever framework is created will probably be obsolete the moment it becomes final, since by then new technologies will exist bringing with them new vulnerabilities that the Cybersecurity Framework does not address.
Nonetheless, the EO makes several proposals to the private sector in order to compel businesses to follow the Cybersecurity Framework “voluntarily.” First, the EO calls for the Secretary of Homeland Security to encourage the owners and managers of “critical infrastructure” to follow the “voluntary” standards being created by the NIST. Second, each sector-specific federal agency would be required to report to the President—within 90 days of the publication of the Cybersecurity Framework—on the extent of its existing regulatory power to mandate cybersecurity requirements for the industry it regulates. These sector-specific agencies include the SEC, the FTC, the FAA, the Department of Energy, HHS, and every other regulatory agency. Finally, the EO recommends that each agency propose regulations to mitigate cybersecurity risks within 14 months of the order. 
So, if you are a bank, a hospital, an energy provider, or you think your business might fall under what is deemed “critical infrastructure,” you need to be aware that this EO is out there and that it will affect your business as soon as it is signed. Carlton Fields is monitoring the developments surrounding this EO and we will provide more information as it moves closer to being signed by the President.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields | Attorney Advertising

Written by:


Carlton Fields on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.