Government Contracts Legal Forum

Cybersecurity Receives Presidential Push with New Cyber Executive Order

Gordon Griffin, Kate Molony and David Bodenheimer all contributed to this post.

After years of abortive attempts by Congress to enact comprehensive cybersecurity legislation, the President took matters into his own hands on February 12, signing an Executive Order, Improving Critical Infrastructure Cybersecurity.  Identifying the cyber threat as "one of the most serious national security challenges we must confront," this Order, along with its contemporaneous Presidential Policy Directive, lays out the policy goals for the President's cybersecurity program, as well as some specific initiatives. 

Overview.  The Order is long on plans for coordinating government cyber efforts, but it is short on concrete details for just how to implement such a unified whole-of-government approach.  The specifics in the eight-page document include two major initiatives relating to information sharing and cybersecurity standards.

Information Sharing.  The Order lays out the goals and requirements for information sharing on cyber threats.  Within 120 days, the Order  provides:  (1) the Secretary of Homeland Security("the Secretary"), the Director of National Intelligence ("DNI"), and the Attorney General ("AG") shall issue instructions on producing unclassified reports of cyber threats to specifically targeted entities; (2) the Secretary, the DNI, and the AG shall include in these instructions a process for disseminating classified reports to those entities authorized to receive such information; and (3) the Secretary, in coordination with the Secretary of Defense, shall establish a voluntary information-sharing network called the "Enhanced Cybersecurity Services Program," which will provide classified threat information to eligible companies. 

Cybersecurity Standards.  The Order also requires the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology ("NIST") to develop a set of standards and processes, incorporating "voluntary consensus standards and industry best practices to the fullest extent possible," to address cyber risks.  The Order designates this set of standards as the "Baseline Framework."  In addition, the Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program, using the Baseline Framework as the foundation for entry into the program.  The Order directs the Secretary to establish a set of incentives for private companies to enter into the Program, noting that some of the preferred incentives may require legislation.  Finally, the Order directs the Federal Acquisition Regulatory Council to develop recommendations on "the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration," thus signaling a likely push for new cybersecurity acquisition regulations for government contractors and the private sector.

No Safe Harbors.  The Order is almost as notable for what it lacks as for what it includes.  The executive branch lacks the legal authority to indemnify companies that meet certain minimum security standards or to exempt from FOIA any information shared by private entities.  These steps will be vital to ensure private sector cooperation and buy-in to the federal government's cybersecurity plans.

The Future.  In his State of the Union address, the President underscored the continuing need for cyber legislation, concluding that "Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks."  Until Congress acts, questions will remain on just what sort of public-private partnership can exist without protections for participating private entities.  Similarly, government contractors will need to pay close attention to the forthcoming incentives and recommendations on security standards in acquisition planning and government contract administration. 

Trackbacks (0) Links to blogs that reference this article Trackback URL
http://www.governmentcontractslegalforum.com/admin/trackback/294806
Comments (0) Read through and enter the discussion with the form at the end
Washington
1001 Pennsylvania Avenue, N.W.
Washington, DC 20004-2595
Phone: 202.624.2500
Fax: 202.628.5116
Orange County
3 Park Plaza, 20th Floor
Irvine, CA 92614-8505
Phone: 949.263.8400
Fax: 949.263.8414
New York
590 Madison Avenue, 20th Floor
New York, NY 10022-2524
Phone: 212.223.4000
Fax: 212.223.4134
Anchorage
1029 W. 3rd Avenue Suite #402
Anchorage, AK 99501
Phone: 907.865.2600
Los Angeles
515 South Flower St., 40th Floor
Los Angeles, CA 90071
Phone: 213.622.4750
Fax: 213.622.2690
London
11 Pilgrim Street
London, EC4V 6RN United Kingdom
Phone: +44.207.413.0011
Fax: +44.207.413.0333
San Francisco
275 Battery Street, 23rd Floor
San Francisco, CA 94111
Phone: 415.986.2800
Fax: 415.986.2827
Brussels
71, Rue Royale
Brussels, B - 1000 Belgium
Phone: +32.2.282.4082
Fax: +32.2.230.6399