Assessing Cybersecurity Regulations

Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” called on Executive Branch agencies to assess whether and how existing cybersecurity regulation could be streamlined and better aligned with the Cybersecurity Framework launched in February 2014.

The EO directs Executive Branch departments and agencies with responsibility for regulating the security of private-sector critical infrastructure to: (1) assess the sufficiency of existing regulatory authority to establish requirements based on the Cybersecurity Framework to address current and projected cyber risks; and (2) identify proposed changes in order to address insufficiencies identified.

The Cybersecurity Framework articulates a risk management approach based on best practices and globally recognized standards. It is a voluntary tool that organizations can use to strengthen cyber risk management.

After extensive research, we determined that the following departments and agencies were required to submit reports: Environmental Protection Agency (drinking water and waste-water), Department of Health and Human Services (medical devices, electronic health records, health exchanges), and the Department of Homeland Security (chemical facilities and transportation).