Cybersecurity framework could be mandatory for some companies


Adoption of the cybersecurity framework called for by an executive order on cybersecurity signed by President Obama on Feb. 12 might not be voluntary for companies regulated by federal agencies with authority to require adoption--specifically those "agencies with responsibility for regulating the security of critical infrastructure," the executive order says.

Whether those regulatory agencies have authority to mandate adoption will be the subject of a 90 day review to occur after publication of the draft framework, which is set to occur in October. Should the review determine current authority doesn't exist, section 10 of the executive order directs those agencies to propose within 90 days of the framework's final publication new regulations that allow them to "mitigate cyber risk."

"Adoption of the framework will be voluntary for companies that do not fall under a regulatory agency with the authority to adopt the framework into its rules or if the regulatory agency determines that regulation is not necessary," the White House said in response to an inquiry.

The White House said industry sectors that fall under the scope of agencies with responsibility for regulating critical infrastructure security include:

  • the defense industrial base through the Defense Department;
  • healthcare and public health through the Health and Human Services Department;
  • transportation systems through the Transportation Security Administration;
  • the chemical industry through the Homeland Security Department; some oil and gas operations as well as waste and wastewater systems also fall under chemical security regulations issued by DHS.

In addition, the Agriculture Department has "limited authority" over the food and agriculture industries, the White House said.

Industry sectors the White House said do not come under an agency with power to regulate for security include information technology, non-federally-owned dams since regulation is done at the state level, emergency services--which typically are regulated at the state level--and "commercial facilities."

In addition, the executive order does not pertain to sectors covered by independent regulatory agencies, the White House said. Specifically, the nuclear power industry regulated by the Nuclear Regulatory Commission, telecommunications regulated by the Federal Communications Commission, and the financial industry regulated by eight different federal agencies.

For more:
read cybersecurity executive order
see the Commerce announcement on the security framework

Related Articles:
Obama signs cybersecurity executive order - UPDATED
Cybersecurity executive order should clearly exclude some sectors, says Lofgren
Senate Democrats propose tentative cybersecurity bill