On August 6, 2013, the Obama Administration posted links on The White House Blog to reports from the Departments of Commerce, Homeland Security and Treasury containing recommendations on incentivizing companies to align their cybersecurity practices with the Cybersecurity Framework. These reports respond to the Administration’s February 2013 executive order entitled Improving Critical Infrastructure Cybersecurity (the “Executive Order”).
The Executive Order directs the Department of Commerce’s National Institute of Standards and Technology (“NIST”) to lead the development of a Cybersecurity Framework aimed to reduce cyber risks to critical infrastructure. NIST released a preliminary draft outline of the Framework in July 2013. The Executive Order also calls on the Department of Homeland Security to establish a Voluntary Program to support adoption of the Cybersecurity Framework. Pursuant to Section 8(d) of the Executive Order, the Departments of Commerce, Homeland Security and Treasury were required to submit reports to the President that include an analysis of the benefits and related effectiveness of incentives designed to promote companies’ participation in the Voluntary Program.
The publication of these agency reports does not represent the Obama Administration’s final policy position on the recommended action, but it does offer an initial look at how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework and Voluntary Program. The reports, taken as a whole, suggest eight areas for potential incentives: (1) cybersecurity insurance, (2) federal grants, (3) process preference, (4) liability limitation, (5) streamline regulations, (6) public recognition, (7) rate recovery for price regulated industries and (8) cybersecurity research and development.
Over the next few months, agencies will examine these recommendations to determine which incentives to adopt and how. Some of the proposed incentives can be put in place quickly under existing authorities, while others would require legislative action. A draft Cybersecurity Framework is due in October 2013 and a final version is expected by February 2014.