Feds Hold Off on Security Regulations

Friday, May 30, 2014 @ 05:05 PM gHale


None of the executive branch agencies that have regulatory authority over critical infrastructure operators, which includes the Environmental Protection Agency (EPA) and departments of Health and Human Services (HHS) and Homeland Security (DHS), will impose new cybersecurity rules on the industries they regulate.

An administration analysis supports its current voluntary approach to address cybersecurity risk management, said White House Cybersecurity Coordinator Michael Daniel.

RELATED STORIES
Ineffective Password Security Practices
Insider Threat Real; Protection Weak
Aware of Info Loss, Data Still Not Secured
Major Update to ICS Security Guide

“The administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information,” Daniel said in a White House blog.

Fifteen months ago, President Obama issued an executive order, Improving Critical Infrastructure Cybersecurity, which directed executive branch agencies to assess whether and how existing cybersecurity regulations could end up streamlined and better aligned with the cybersecurity framework unveiled a year later.

After an extensive review, the White House determined only the three agencies had to file reports. Regulating drinking water and wastewater is the EPA; medical devices, electronic health records and health exchanges is HHS; and chemical facilities and transportation is DHS.

The executive order does not apply to independent regulatory agencies, so the review represented a limit number of critical infrastructure sectors: Chemical, health, transportation and water.

Most of the agencies reported they have cooperative initiatives with industries they regulate to help identify cybersecurity best practices.

HHS’s assessment, for instance, said the department works in voluntary partnership with public and private sector entities in the healthcare and public health and food and agriculture sectors to enhance their security and resilience with respect to all hazards, including cyberthreats.

Despite no new regulations in the offing, Daniel said the agencies must continue to work to ensure that existing regulations are clear, streamlined and harmonized.

“Agencies with regulatory authority have determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to those systems,” Daniel said. “Over the next two years, these departments and agencies will jointly investigate and leverage opportunities to improve the efficiency, clarity and coordination of existing regulations.”



Leave a Reply

You must be logged in to post a comment.