On February 12, 2013, President Barack Obama issued an Executive Order (“EO”) and an accompanying Presidential Policy Directive, PPD-21 (“PPD”) in an effort to improve cybersecurity for critical infrastructure. Specifically, the EO requires improved cybersecurity information sharing between the federal government and the owners and operators of critical infrastructure – certain vital systems and assets to the U.S. – and the development by the federal government of standards to reduce cyber risks to critical infrastructure. Under the PPD, the critical infrastructure-related functions, roles, and responsibilities across the federal government for implementing the EO are delineated. The PPD identifies 16 critical infrastructure sectors (including energy) and designates “Sector-Specific Agencies” responsible for each sector. Of note, the Department of Energy is the agency responsible for the energy sector.
To improve information sharing, the EO requires the Secretary of Homeland Security (“Secretary”) to ensure the production of unclassified reports of cyber threats to the U.S., as well as the dissemination of classified reports to the owners or operators of critical infrastructure authorized to receive them. The EO also directs the Secretary to expand a voluntary information sharing program to provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure. Additionally, the EO requires the Secretary to expedite the processing of security clearances to personnel employed by critical infrastructure owners and operators.
In terms of standards, the National Institute of Standards and Technology will lead the development of a Cybersecurity Framework (“Framework”), which will incorporate voluntary consensus standards and industry best practices to the fullest extent possible. Further, the EO directs the Secretary and Sector-Specific Agencies to establish a voluntary program to support the adoption of the Framework by owners and operators of critical infrastructure and any other interested entities. This voluntary program will include incentives designed to promote participation in the Framework. Each agency with responsibility for regulating the security of critical infrastructure (the Sector-Specific Agency) will determine whether it has authority to establish requirements based on the Framework and, if such authority is insufficient, the agency shall propose actions to mitigate cyber risk.
A copy of the EO is available here. A copy of the PPD is available here.