- The Commerce Department’s National Institute of Standards and Technology will publish a draft cybersecurity framework by October. The framework will include voluntary security standards for critical infrastructure companies, based on best practices and industry input. NIST will work with the Department of Homeland Security to publish a final version of the framework within a year.
- DHS will create a program to support voluntary adoption of the standards. By June, DHS, in coordination with the Treasury and Commerce departments, must recommend incentives to entice private-sector involvement in the program.
- DHS will identify companies that control the most critical infrastructures, the target audience for the voluntary program.
- The Defense Industrial Base Information Sharing Program will be expanded to include more critical infrastructure companies. Under the program, government and industry share classified threat information, including software code used to determine malware.
- By June, the Defense Department and General Services Administration will recommend the feasibility and benefits of incorporating security standards into federal contracts and acquisition planning and whether those standards are consistent with existing procurement requirements.
- Agencies are directed to regularly assess the privacy and civil liberties impacts of their activities and share that information with the public.
- For sectors currently regulated by the federal government, such as the chemical and nuclear sectors, security standards could become mandatory.
- The executive order directs regulatory agencies to assess whether their current cybersecurity regulations are sufficient. “If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the cybersecurity framework and in consultation with their regulated companies,” the White House said.
- Administration officials would not say what legal or financial ramifications regulated companies could face if they did not comply with potentially new standards.
Want More GovLoop Content? Sign Up For Email Updates