During the State of the Union address, President Obama announced that he had signed and issued an Executive Order on cybersecurity.
The Executive Order calls for cooperation and information sharing between the private sector and government. It sets forth a variety of requirements for regulatory agencies intended to improve the nation’s readiness for cyber threats and to protect critical infrastructure.
The Executive Order gives the Secretary of Homeland Security 150 days to identify critical infrastructure where a cyber incident “could reasonably result in a debilitating impact on national security, national economic security, or national public health and safety.”
Within 240 days, the National Institute of Standards and Technology (NIST) must publish a framework to reduce cyber risks to critical infrastructure and the framework shall:
-
create a set of standards that aligns policy, business, and technology to address cyber risks
-
identify areas that need improvement and that can benefit from public and private collaborations
-
include guidance for measuring performance
-
be consistent with international standards
-
include industry best practices and voluntary consensus standards
A final version of the NIST framework must be completed by February 2014.
While this Executive Order, like any other, is directed at federal agencies, its impact on the private sector and non-governmental organizations cannot be overlooked. Any business or organization regulated by a U.S. federal agency must understand that the government is broadening its reach in the cybersecurity space and that increased scrutiny of cybersecurity programs and breach response is a given.
So, if you are a bank, hospital, energy provider, or think your business might fall within the “critical infrastructure,” be aware that this Executive Order exists, and will affect your business.
Carlton Fields is monitoring the developments surrounding this Executive Order and will keep an eye on how the federal agencies implement its guidance. If you have any questions about this Executive Order or cybersecurity legal issues in general, please feel free to contact us.
