Administration Shares Cyber Framework Incentives via Blog

On August 6th, Michael Daniel, the Special Assistant to the President and the Administration’s Cybersecurity Coordinator, posted a blog on the White House website entitled, “Incentives to Support Adoption of the Cybersecurity Framework.”

The blog opened with:  “The systems that run our nation’s critical infrastructure such as the electric grid, our drinking water, our trains, and other transportation are increasingly networked. As with any networked system, these systems are potentially vulnerable to a wide range of threats, and protecting this critical infrastructure from cyber threats is among our highest security priorities…” Daniel then went on to describe the value of the proposed Cybersecurity Framework as called for under Executive Order 13636 and how various incentives, when coupled with a to-be-created voluntary program, could encourage critical infrastructure sectors to adopt the Framework.  Some of the incentives can be adopted using existing authorities while others would require legislative action along with further analysis and dialogue among public and private partners.  Some of the highlighted incentives include the following:

  • Cybersecurity Insurance – The insurance industry should be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program. The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.
  • Grants – Consider leveraging federal grant programs.  Consider incentivizing the adoption of the Framework and participation in the Voluntary Program as a condition or as one of the weighted criteria for federal critical infrastructure grants.
  • Process Preference – Participating in the Voluntary Program could be a consideration in expediting existing government service delivery. For example, the government sometimes provides technical assistance to critical infrastructure. Outside of incident response situations, the government could use Framework adoption and participation in the Voluntary Program as secondary criteria for prioritizing who receives that technical assistance.
  • Streamline Regulations – As the Framework and Voluntary Program are developed, Federal agencies will recommend areas that could help make compliance easier, for example:  eliminating overlaps among existing laws and regulation, enabling equivalent adoption across regulatory structures, and reducing audit burdens.
These options should not be construed as a final Administration policy; however, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework as envisioned in the Executive Order.  To view the complete blog article, please go to www.whitehouse.gov/blog/2013/08/06 and scroll down to the Michael Daniel entry.