Cybersecurity EO 13636 (E.O. 13636)

Summary

Creates a partnership between the government and private companies to protect important systems like power grids and banks from computer attacks.

What problem does this solve?

Cyber attacks on important national systems are increasing and pose a serious threat to the country's safety and economy. This order creates a plan for the government and private companies to work together, share information, and create standards to better defend against these threats.

What does this order do?

Creates a national Cybersecurity Framework

Directs the National Institute of Standards and Technology (NIST) to lead the development of a set of voluntary standards and best practices to help organizations manage and reduce cybersecurity risks.

Increases cyber threat information sharing

Requires the government to increase the amount, speed, and quality of cyber threat information it shares with private companies to help them defend themselves against attacks.

Identifies critical infrastructure at greatest risk

Requires the Secretary of Homeland Security to identify the most vital systems and assets where a cyber attack could have a devastating effect on national security, the economy, or public health.

Establishes a voluntary adoption program

Creates a voluntary program, led by the Secretary of Homeland Security, to encourage and support private companies in adopting the new Cybersecurity Framework.

Requires privacy and civil liberties protections

Mandates that government agencies build in protections for privacy and civil liberties into all activities under this order and requires a public report on these measures.

Expands a classified information sharing program

Directs the expansion of the Enhanced Cybersecurity Services program, which provides classified government cyber threat information to eligible critical infrastructure companies.

Who does this affect?

Owners and operators of critical infrastructure
Federal government agencies
Cybersecurity and technology companies

What is the real world impact?

•

Strengthens national security through public-private partnership

Encourages collaboration between the government and private companies that own critical systems. This partnership aims to improve the defense of essential services like electricity, finance, and transportation against growing cyber threats.

•

Creates a voluntary set of security standards

Establishes a flexible, risk-based Cybersecurity Framework of best practices rather than forcing strict regulations. This approach encourages adoption by being adaptable to different industries and company sizes, promoting innovation in security.

When does this start?

This order takes effect immediately on February 12, 2013, and sets several deadlines for federal agencies to complete specific tasks.

Cyber threat information sharing instructions

Within 120 days (by June 12, 2013), the Attorney General, Secretary of Homeland Security, and Director of National Intelligence must issue instructions to increase sharing of cyber threat reports.

Identify infrastructure at greatest risk

Within 150 days (by July 12, 2013), the Secretary of Homeland Security must identify critical infrastructure where a cyber incident could cause catastrophic harm.

Preliminary Cybersecurity Framework published

Within 240 days (by October 10, 2013), the Director of NIST must publish a preliminary version of the Cybersecurity Framework for public review.

Final Cybersecurity Framework published

Within one year (by February 12, 2014), the Director of NIST must publish the final version of the Cybersecurity Framework.

Privacy and civil liberties report

Within one year (by February 12, 2014), the Department of Homeland Security must release a public report assessing the privacy and civil liberties risks of the order's programs.