Editor’s Note: Mr. Perera is correct. Many companies should not consider either the Executive Order or the Presidential Policy Directive to be voluntary. Instead, cyber security is an example of Regulation by Execuitve Order
From: FierceGovernmentIT
By David Perera
Adoption of the cybersecurity framework called for by an executive order on cybersecurity signed by President Obama on Feb. 12 might not be voluntary for companies regulated by federal agencies with authority to require adoption–specifically those “agencies with responsibility for regulating the security of critical infrastructure,” the executive order says.
Whether those regulatory agencies have authority to mandate adoption will be the subject of a 90 day review to occur after publication of the draft framework, which is set to occur in October. Should the review determine current authority doesn’t exist, section 10 of the executive order directs those agencies to propose within 90 days of the framework’s final publication new regulations that allow them to “mitigate cyber risk.”
“Adoption of the framework will be voluntary for companies that do not fall under a regulatory agency with the authority to adopt the framework into its rules or if the regulatory agency determines that regulation is not necessary,” the White House said in response to an inquiry.
Leave a Reply