The White House announced Thursday it would not order executive branch departments and agencies to impose a newly developed cybersecurity framework, instead opting for a voluntary implementation of the standards.
Specifically, the Department of Health and Human Services, the Department of Homeland Security and the Environmental Protection Agency are encouraged — but not forced — to use the National Institute of Standards and Technology framework to supplement their existing cyber regulations, said White House Cybersecurity Coordinator Michael Daniel.
“[T]he Administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information,” Daniel wrote on the White House blog.
President Obama signed an executive order in February 2013 to assess the cyber regulations of his executive agencies and whether changes should be made. A year later, at his request, NIST released a cybersecurity framework of best practices to protect critical private-sector infrastructure. Introduced as a voluntary measure, the framework was meant to be imposed on agencies with weak cyber standards.
But after surveying the cyber regulations of DHS, HHS and the EPA — the three agencies required to submit reports — the White House determined the agencies’ current standards were strong enough and the NIST framework should remain a recommended, voluntary tool for organizations to strengthen cyber risk management.
This, however, is not the end of the push for better cybersecurity, Daniel said.
“Now, this doesn’t mean that we don’t have more work to do to secure our critical systems and information throughout the country,” he said. “Nor does it mean that we can stop working to ensure that regulations as written are clear, streamlined, and harmonized… Over the next two years, these departments and agencies will jointly investigate and leverage opportunities to improve the efficiency, clarity, and coordination of existing regulations.”
Of course, that applies only to executive departments and agencies — a massive section of the American infrastructure, regulated by independent agencies, was not considered in this analysis.
“[T]he analysis conducted pursuant to EO 13636 represents a limited subset of critical infrastructure sectors: water, health, transportation, and chemical,” Daniel said. “Independent regulatory agencies may engage in similar analysis but are not required to under this EO.”