This Executive Order is intended to strengthen the cybersecurity of critical infrastructure by increasing information sharing and by jointly developing and implementing a framework of cybersecurity practices with industry partners.
- New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies. The Order expands the voluntary Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.
- The development of a Cybersecurity Framework. NIST will work collaboratively with critical infrastructure stakeholders to develop the Cybersecurity Framework relying on existing international standards, practices, and procedures that have proven to be effective.
The Executive Order also:
- Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles. Agencies are required to incorporate privacy and civil liberties safeguards in their activities under this order. Those safeguards will be based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public.
- Establishes a voluntary program to promote the adoption of the Cybersecurity Framework. The Department of Homeland Security will work with Sector-Specific Agencies like the Department of Energy and the Sector Coordinating Councils that represent industry to develop a program to assist companies with implementing the Cybersecurity Framework and to identify incentives for adoption.
- Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the voluntary Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the Cybersecurity Framework and in consultation with their regulated companies. Independent regulatory agencies are encouraged to leverage the Cybersecurity Framework to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.
"Given the absence of comprehensive cybersecurity legislation, some security observers contend that E.O. 13636 is a necessary step in securing vital assets against cyberthreats. Others have expressed the view that the executive order could make enactment of a bill less likely or could lead to government intrusiveness into private-sector activities through increased regulation under existing statutory authority."
- Id. at §1: Policy.
- Cybersecurity: Legislation, Hearings, and Executive Branch Documents, at 1.