critical infrastructure

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directed the Secretary of Homeland Security to identify “critical infrastructure at greatest risk” within 150 days after issuance of the Order on February 12, 2013.  Section 9 of the Order specified that the Secretary, in consultation with sector-specific agencies, should “use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  The Order further directed the Secretary to provide the list of identified critical infrastructure to the President, confidentially notify owners and operators of identified critical infrastructure, and establish a process for such owners and operators to request reconsideration of their identification.

On April 17, the Department of Homeland Security (“DHS”) issued a Federal Register notice regarding its actions pursuant to Section 9 of the Executive Order.  The Notice reports that after consulting with  “sector stakeholders,” including critical infrastructure owners and operators, sector-specific agencies, and subject-matter experts, the Secretary of Homeland Security provided an initial list of identified critical infrastructure to the President on July 19, 2013.  DHS explained that it has completed the process of notifying owners and operators of critical infrastructure that has been identified as “at greatest risk,” and therefore “[i]f critical infrastructure owners and operators have not been contacted by DHS in connection with their status on the initial list, then such infrastructure has not been included on the initial list.”  The list of critical infrastructure at greatest risk will be updated annually going forward.Continue Reading DHS Announces Reconsideration Process for “Critical Infrastructure at Greatest Risk”

By Susan B. Cassidy

On March 12, 2014, General Services Administration (“GSA”) issued a Request for Information (“RFI”) to obtain stakeholder input on implementing the recommendations contained in the joint GSA and Department of Defense (“DOD”) report, Improving Cybersecurity and Resilience through Acquisition (“Joint Report”), issued on January 23, 2014.

The Joint Report and, in turn, the RFI from GSA were issued in furtherance of Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity, which called for GSA and DOD, in consultation with the Secretary of Homeland Security and the Federal Acquisition Regulatory Council, to make recommendations to the President “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”  The Joint Report responded to this request with six recommendations for strengthening the federal government’s cyber resilience:

  1. Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
  2. Address cybersecurity in relevant training;
  3. Develop common cybersecurity definitions for federal acquisitions;
  4. Institute a federal acquisition cyber risk management strategy;
  5. Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources, whenever available, in appropriate acquisitions; and
  6. Increase government accountability for cyber risk management.

Through the RFI issued on March 12, GSA has requested stakeholder input on how to implement the Joint Report’s recommendations.  To this end, GSA provided a draft Implementation Plan, which addresses the implementation of the Joint Report’s fourth recommendation, “institute a Federal acquisition cyber risk management strategy.”  The Implementation Plan explains that GSA will implement the Joint Report’s fourth recommendation first because “the risk management strategy and processes to institute it provide the foundation that is necessary for the other recommendations to be implemented.”Continue Reading GSA Seeks Comments on Implementation of GSA/DOD Cybersecurity Joint Report Recommendations

It has been an eventful week in the European Parliament in relation to data privacy and security matters.  Having already voted in favor of the General Data Protection Regulation (“GDPR”) and endorsed a controversial report into allegations of mass surveillance, the European Parliament voted yesterday on the proposed Network and Information Security (“NIS”) Directive.  In line with previous committee reports, the Parliament vote ensures that the Proposed Network and Information Security Directive focuses on protecting critical infrastructure in the energy, transport, financial services and health sectors. 

The EU legislative bodies will now enter into negotiations to agree a final text.  Commissioner Kroes called earlier this week for this work to be completed this year, but this timeframe seems ambitious.Continue Reading European Parliament Votes to Ensure that the Proposed Network and Information Security Directive Focuses on Protecting Critical Infrastructure

Today the National Institute of Standards and Technology (“NIST”) issued a discussion draft of a “Preliminary Cybersecurity Framework.”

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity tasked NIST with developing a “Cybersecurity Framework” “to reduce cyber risks to critical infrastructure.”  The Order specifies that the Framework must “provide a prioritized, flexible repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

NIST is drafting the Framework in consultation with industry, other government agencies, and other experts.  The final version will provide voluntary cybersecurity guidance for critical infrastructure and other business.  NIST describes the Framework as providing “a common language for expressing, understanding, and managing cybersecurity risk.”

As described by the NIST discussion draft, the Framework is intended to guide businesses through a risk-based assessment and improvement of their cybersecurity posture.  The discussion draft Framework is organized around three issues: the Framework Core, Implementation Tiers, and Profile.Continue Reading NIST Releases Preliminary Cybersecurity Framework