In case you missed it, earlier this evening President Obama finally signed the long-awaited Executive Order that focuses on protecting our critical infrastructure. It remains voluntary, which means no one is going to do it unless there’s some other incentive, but does call for the government to more readily share information with critical infrastructure providers and emphasizes the creation of best practices. Oh … and it directs NIST to create yet another framework, rather than say just adding an appendix to the existing FISMA/800-53 material, off of which these best practices will be based.
It seems like we have most of these capabilities and concepts already out there and that this order simply pulls everything together in one nice little package. I guess it’s a good start to get the ball rolling, whether that be to nudge congress to get their act together or establish a seed around which good security practices can flourish. And at least it wasn’t secret this time as it’s already posted in White House website.
GovInfoSecurity.com had a nice bulleted list of the major provisions for those that are interested. I highlighted a few interesting items.
- Creates new, real-time information sharing programs that would provide American companies with classified and unclassified cyberthreat information. The order establishes procedures to expedite the processing of security clearances to appropriate personnel employed by critical infrastructure operators.
- Directs the National Institute of Standards and Technology to collaborate with industry to develop a framework of cybersecurity best practices to reduce risk to critical infrastructure. The framework would rely on existing international standards, practices and procedures that have proven to be effective. One example of a best practice would be the use of authentication in identifying those who could gain access to high-risk systems. Infrastructure owners would not be compelled to adopt the framework.
- Requires strong privacy and civil-liberties protections based on the Fair Information Practice Principles, widely accepted guidelines to assure that practices are fair and provide adequate privacy protections.
- Establishes a voluntary program to promote the adoption of the cybersecurity framework. The Department of Homeland Security will work with sector-specific agencies such as the Department of Energy and the sector coordinating councils to develop a program to assist companies with implementing the cybersecurity framework and to identify incentives for adoption.
- Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the cybersecurity framework to assess their cybersecurity regulations, determine if existing requirements are sufficient and whether any existing regulations can be eliminated as no longer effective.
Source: “Obama Issues Cybersecurity Executive Order” – GovInfoSecurity.com
Do you think this order is a step in the right direction? Let us know in the comments below. Today’s post pic is from GovInfosecurity.com. See ya!