Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directed the Secretary of Homeland Security to identify “critical infrastructure at greatest risk” within 150 days after issuance of the Order on February 12, 2013. Section 9 of the Order specified that the Secretary, in consultation with sector-specific agencies, should “use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The Order further directed the Secretary to provide the list of identified critical infrastructure to the President, confidentially notify owners and operators of identified critical infrastructure, and establish a process for such owners and operators to request reconsideration of their identification.
On April 17, the Department of Homeland Security (“DHS”) issued a Federal Register notice regarding its actions pursuant to Section 9 of the Executive Order. The Notice reports that after consulting with “sector stakeholders,” including critical infrastructure owners and operators, sector-specific agencies, and subject-matter experts, the Secretary of Homeland Security provided an initial list of identified critical infrastructure to the President on July 19, 2013. DHS explained that it has completed the process of notifying owners and operators of critical infrastructure that has been identified as “at greatest risk,” and therefore “[i]f critical infrastructure owners and operators have not been contacted by DHS in connection with their status on the initial list, then such infrastructure has not been included on the initial list.” The list of critical infrastructure at greatest risk will be updated annually going forward.Continue Reading DHS Announces Reconsideration Process for “Critical Infrastructure at Greatest Risk”