White House readies new cyber regulation rollouts
- Sam Sabin, author of Axios Codebook
Anne Neuberger speaks during a news conference in February 2022. Photo: Oliver Contreras/Sipa/Bloomberg via Getty Images
Critical infrastructure sectors should start preparing for the next phase in the Biden administration's cyber regulatory plan after a pair of announcements from a top White House adviser on Thursday.
Driving the news: Anne Neuberger, deputy national security adviser for cybersecurity and emerging technology, shared updates during two public interviews Thursday — including one with Axios — on the White House's work to stand up new cyber regulatory structures for critical infrastructure sectors.
- Neuberger said during a Washington Post event in the morning that the communications, water and health care sectors are next on the administration's list for new cyber rules.
- Neuberger also told an audience at an Axios event in Washington last night that the Cybersecurity and Infrastructure Security Agency (CISA) is planning to release its highly anticipated, but voluntary, cybersecurity performance goals before the end of the month.
Details: Neuberger said the EPA, the FCC and the Department of Health and Human Services (HHS) will each release their own cyber guidelines and rules.
- The FCC will issue a notice of proposed rulemaking for emergency and public warning systems, HHS is working on guidelines for hospitals, and the EPA is reviewing ways to regulate water systems' cybersecurity, Neuberger said.
- CISA is releasing performance goals, as required in a Biden national security memo issued last year, that will suggest baseline security practices for operators.
The big picture: Each announcement represents the Biden administration's strong desire to expand cybersecurity regulations into the private sector.
- So far, the White House has had a piecemeal approach, taking one critical infrastructure sector at a time, such as pipelines, railroads and aviation.
- As for CISA, industry groups have expressed concerns that the new performance goals will be a precursor for mandatory requirements.
Meanwhile, Neuberger's office also announced plans earlier this week to host a meeting on Wednesday with industry groups to discuss a new initiative to create a cybersecurity label for Internet of Things devices.
What they're saying: "Many of our peer governments, whether the European Union or Koreans or others, have over the years put in place minimum cybersecurity standards for critical infrastructure," Neuberger said during the Axios event.
- "We're now recognizing we very much need to do that in the U.S."
Sign up for Axios’ cybersecurity newsletter Codebook here.