Privacy & Information Security Law Blog

On March 28, 2013, the Department of Commerce’s Notice of Inquiry into “Incentives to Adopt Improved Cybersecurity Practices” was published in the Federal Register (78 Fed. Reg. 18954). This Notice, which includes a series of broad questions for owners of the nation’s critical infrastructure, follows up on earlier Commerce inquiries focused on incentives for noncritical infrastructure. The Notice states that Commerce will use the responses it receives to evaluate a set of incentives designed to encourage owners of critical infrastructure to participate in a voluntary cybersecurity program. The Notice also indicates that Commerce will use the responses to inform its evaluation of whether the incentives would require legislation or could be implemented pursuant to existing law and authorities. In addition, the Notice provides that Commerce may use the responses to develop a broader set of recommendations that would apply to U.S. industry as a whole.

This Notice of Inquiry was triggered by President Obama’s recent Executive Order on Cybersecurity. The Executive Order (“Improving Critical Infrastructure Cybersecurity”) directs Commerce, as well as the Departments of Treasury and Homeland Security, to report to the President within 120 days on recommended incentives that could be used to encourage private sector adoption of a “Cybersecurity Framework” being developed by the National Institute of Standards and Technology. The Framework, as contemplated by the Executive Order, will consist of a set of voluntary cybersecurity standards, methodologies, procedures and processes for owners of critical infrastructure to address the cyber risks they face. Additionally, the Executive Order directs the Government Services Administration and the Department of Defense to report on how federal acquisition regulations can be used to incentivize adoption of the Framework.

The Obama Administration chose to have agencies draft individual reports to allow for better analysis of regulatory authority and because a combined report would have been cumbersome to coordinate. The reporting presents a challenge to the agencies, however, both because of the tight 120-day timeline, and also because the agencies are charged with evaluating incentives intended to encourage participation in a Cybersecurity Framework before the Framework is established.

This Notice of Inquiry represents the Commerce Department’s preliminary efforts to prepare its cybersecurity report to the President. The Department of Homeland Security is taking a different approach, conducting meetings with critical infrastructure owners to evaluate a set of 14 broad categories of what it describes as remunerative and coercive incentives suggested by government and industry sources.

The Notice of Inquiry provides a 30-day comment period and states that Commerce will submit its recommendations to the President no later than June 12, 2013.