Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directed the Secretary of Homeland Security to identify “critical infrastructure at greatest risk” within 150 days after issuance of the Order on February 12, 2013. Section 9 of the Order specified that the Secretary, in consultation with sector-specific agencies, should “use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The Order further directed the Secretary to provide the list of identified critical infrastructure to the President, confidentially notify owners and operators of identified critical infrastructure, and establish a process for such owners and operators to request reconsideration of their identification.
On April 17, the Department of Homeland Security (“DHS”) issued a Federal Register notice regarding its actions pursuant to Section 9 of the Executive Order. The Notice reports that after consulting with “sector stakeholders,” including critical infrastructure owners and operators, sector-specific agencies, and subject-matter experts, the Secretary of Homeland Security provided an initial list of identified critical infrastructure to the President on July 19, 2013. DHS explained that it has completed the process of notifying owners and operators of critical infrastructure that has been identified as “at greatest risk,” and therefore “[i]f critical infrastructure owners and operators have not been contacted by DHS in connection with their status on the initial list, then such infrastructure has not been included on the initial list.” The list of critical infrastructure at greatest risk will be updated annually going forward.
The Notice also establishes a process for critical infrastructure owners and operators to request reconsideration of their entity’s identification. To challenge an identification for this year, owners and operators must submit a written request for reconsideration to DHS by May 15, 2014, along with new information that forms the basis for the request. Entities requesting reconsideration may also request an in-person or telephone meeting with DHS to discuss the basis for their identification or to discuss the additional information that will form the basis for their reconsideration request. The Notice provides additional details regarding the format of reconsideration requests and relevant DHS contact information.
In addressing the impact of identification pursuant to the Executive Order, the Notice explains that the “primary purpose” of identification is “to better understand national and regional cyber dependencies and consequences across critical infrastructure, inform planning and program development for federal critical infrastructure security and resilience programs, and enable improved cyber risk management by the identified critical infrastructure owners and operators.” It further explains that owners and operators of identified critical infrastructure may:
- Request expedited processing in the DHS Private Sector Clearance Program;
- Receive priority for routine and incident-driven cyber technical assistance activities conducted by DHS and other agencies; and
- Be encouraged to participate in the cybersecurity Framework recently released by the National Institute of Standards and Technology.