No New Cybersecurity Regs Coming from Feds
White House: Voluntary Programs Help Secure Critical IT
None of the executive branch agencies that have regulatory authority over critical infrastructure operators - Environmental Protection Agency and departments of Health and Human Services and Homeland Security - will impose new cybersecurity rules on the industries they regulate.
White House Cybersecurity Coordinator Michael Daniel says an administration analysis supports its current voluntary approach to address cybersecurity risk management.
"The administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information," Daniel writes in a White House blog.
Fifteen months ago, President Obama issued an executive order, Improving Critical Infrastructure Cybersecurity, which directed executive branch agencies to assess whether and how existing cybersecurity regulations could be streamlined and better aligned with the cybersecurity framework unveiled a year later (see Obama Issues Cybersecurity Executive Order).
After an extensive review, the White House determined only the three agencies had to file reports. Regulating drinking water and waste-water is the EPA; medical devices, electronic health records and health exchanges is HHS; and chemical facilities and transportation is DHS.
The executive order does not apply to independent regulatory agencies, so the review represented a limit number of critical infrastructure sectors: chemical, health, transportation and water.
Most of the agencies reported that they have cooperative initiatives with industries they regulate to help identify cybersecurity best practices.
HHS's assessment, for instance, says the department works in voluntary partnership with public and private sector entities in the healthcare and public health and food and agriculture sectors to enhance their security and resilience with respect to all hazards, including cyberthreats.
Despite no new regulations in the offing, Daniel says the agencies must continue to work to ensure that existing regulations are clear, streamlined and harmonized.
"Agencies with regulatory authority have determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to those systems," Daniel says. "Over the next two years, these departments and agencies will jointly investigate and leverage opportunities to improve the efficiency, clarity and coordination of existing regulations."
