As part of the Executive Order signed by President Obama last month directing agencies to use their existing authorities and work with the private sector to better protect our nation’s power, water, and other critical systems, the Commerce Department is preparing a report on ways to incentivize companies and organizations to improve their cybersecurity. To better understand what stakeholders – such as companies, trade associations, academics and others – believe would best serve as incentives, the Department has released a series of questions to gather public comments in a Notice of Inquiry published today.
The national and economic security of the United States depends on the strength of our nation’s critical infrastructure. The cyber threat to critical infrastructure is growing, and represents one of the most serious national security challenges that the United States must confront. As the President stated in the Executive Order, “repeated cyber intrusions into America’s critical infrastructure demonstrate a need for improved cybersecurity.”
As a first step toward protecting critical infrastructure, the Executive Order tasks the Department of Homeland Security (DHS) to identify the systems that could be affected by a cybersecurity incident which could in catastrophic regional or national effects on public health or safety, economic security, or national security. Second, the National Institute of Standards and Technology (NIST) will develop a framework consisting of a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. This Cybersecurity Framework will provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach to improving cybersecurity, which will help owners and operators of critical infrastructure identify, assess and mange cyber risk. Third, DHS will work with sector-specific agencies to develop the Critical Infrastructure Cybersecurity Program to promote voluntary adoption of the Framework.