The White House released an Executive Order (EO) on critical infrastructure cybersecurity and a Presidential Policy Directive (PPD) on critical infrastructure security and resilience. The EO includes a broad, general framework intended to improve “critical infrastructure” cybersecurity coordination and information sharing among government agencies and the private sector, as well as a process for a voluntary cybersecurity program for critical infrastructure entities.
The EO is consistent with existing, applicable law — it does not provide new legal authority or “provide an agency with authority for regulating the security of critical infrastructure in addition to or to a greater extent than the authority the agency has under existing law.” The EO applies to “critical infrastructure,” which is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The scope of what is considered “critical infrastructure” is not defined, and “critical infrastructure” could potentially include the power grid, financial market exchanges, and telecommunications networks.
The Department of Homeland Security will work with sector-specific agencies to identify critical infrastructure and assess cybersecurity requirements. The U.S. Treasury is the sector-specific agency that would oversee the financial sector on cybersecurity, and will work with federal financial regulators including the National Credit Union Administration (NCUA). Also, the National Institute for Standards and Technology (NIST) will coordinate a cybersecurity standards framework.
The Credit Union National Association (CUNA) continues to assess the impact of the cybersecurity order and continues to work with NCUA, Financial Services Sector Coordinating Council (FSSCC), BITS, Treasury, and other entities to coordinate on cybersecurity issues, and to ensure that credit unions are not unduly impacted from the cybersecurity framework for critical infrastructure entities. They are also engaged with Congress on any cybersecurity legislation that would provide new legal authority and requirements, such as with liability provisions on information sharing.
CUNA believes the cybersecurity framework should recognize existing data security standards that are applicable to financial institutions and credit unions. They are encouraged that the EO offers opportunities for additional coordination between the public and private sectors on cybersecurity and critical infrastructure issues. Credit unions are already subject to very extensive data security standards under the Gramm-Leach-Bliley Act (GLBA) and other applicable data security laws and regulations, including from NCUA and the Federal Financial Institutions Examination Council (FFIEC).
Also, late last week, the Government Accountability Office (GAO) released a cybersecurity report summarizing how the federal government is organized to protect its systems and resources against cyber-attacks; the report also offers recommendations on national strategy, roles, and responsibilities.