Adoption of the cybersecurity framework called for by an executive order on cybersecurity signed
by President Obama on Feb. 12 might not be voluntary for companies
regulated by federal agencies with authority to require
adoption--specifically those "agencies with responsibility for
regulating the security of critical infrastructure," the executive order
says.
Whether those regulatory agencies have authority to mandate adoption will be the subject of a 90 day review to occur after publication of the draft framework, which is set to occur in October. Should the review determine current authority doesn't exist, section 10 of the executive order directs those agencies to propose within 90 days of the framework's final publication new regulations that allow them to "mitigate cyber risk."
"Adoption of the framework will be voluntary for companies that do not fall under a regulatory agency with the authority to adopt the framework into its rules or if the regulatory agency determines that regulation is not necessary," the White House said in response to an inquiry.
The White House said industry sectors that fall under the scope of
agencies with responsibility for regulating critical infrastructure
security include:
Industry sectors the White House said do not come under an agency with power to regulate for security include information technology, non-federally-owned dams since regulation is done at the state level, emergency services--which typically are regulated at the state level--and "commercial facilities."
In addition, the executive order does not pertain to sectors covered by independent regulatory agencies, the White House said. Specifically, the nuclear power industry regulated by the Nuclear Regulatory Commission, telecommunications regulated by the Federal Communications Commission, and the financial industry regulated by eight different federal agencies.
Whether those regulatory agencies have authority to mandate adoption will be the subject of a 90 day review to occur after publication of the draft framework, which is set to occur in October. Should the review determine current authority doesn't exist, section 10 of the executive order directs those agencies to propose within 90 days of the framework's final publication new regulations that allow them to "mitigate cyber risk."
"Adoption of the framework will be voluntary for companies that do not fall under a regulatory agency with the authority to adopt the framework into its rules or if the regulatory agency determines that regulation is not necessary," the White House said in response to an inquiry.
- the defense industrial base through the Defense Department;
- healthcare and public health through the Health and Human Services Department;
- transportation systems through the Transportation Security Administration;
- the chemical industry through the Homeland Security Department; some oil and gas operations as well as waste and wastewater systems also fall under chemical security regulations issued by DHS.
Industry sectors the White House said do not come under an agency with power to regulate for security include information technology, non-federally-owned dams since regulation is done at the state level, emergency services--which typically are regulated at the state level--and "commercial facilities."
In addition, the executive order does not pertain to sectors covered by independent regulatory agencies, the White House said. Specifically, the nuclear power industry regulated by the Nuclear Regulatory Commission, telecommunications regulated by the Federal Communications Commission, and the financial industry regulated by eight different federal agencies.