Trump regulatory agenda puts off DHS decisions on proposed data-protection rules
Edtors's Note: This article was originally published at InsideCybersecurity.com on Dec. 19, 2017.
The Trump administration's regulatory plan for 2018 delays several pending Department of Homeland Security proposals at least until spring, including revisions intended to make it easier for industry to share information about cyber threats through an automated system.
The administration's “unified regulatory agenda” released on Dec. 14 puts off a decision on whether DHS will issue a proposed rulemaking to revise requirements for “protected critical infrastructure information,” among several cyber-related regulatory actions.
“These updates and revisions would be a step towards meeting the challenges of evolving technology and identifying ways to make the PCII Program’s protective measures more effective for information-sharing partnerships between the Government and the private sector, particularly subject matter areas that have developed significantly since the issuance of the initial rule, such as automated information sharing,” according to the regulatory agenda which is issued twice each year.
Last week's release is considered significant because it's considered the first agenda to have been completely compiled by Trump administration officials. The last agenda was issued in spring 2017 just several months after President Trump took office.
The DHS portion of the latest unified agenda includes several cyber-related items, including delayed action on an “advanced notice of proposed rulemaking” for PCII which was first issued in April 2016. The comment period on the advanced notice ended in July 2016, and the Trump administration says a decision on whether to issue proposed rules is “to be determined,” according to the unified agenda.
The communications industry in July submitted comments raising concerns about the proposed rules for handling PCII, arguing that expanded access to the information could raise risks.
“The more information is shared with entities that are not in a position to support the PCII protections, the greater the risk that the information will be compromised,” wrote the U.S. Communications Sector Coordinating Council in a July 20 letter to DHS.
“DHS is reviewing the public comments received in response to the ANPRM, after which DHS intends to publish a Notice of Proposed Rulemaking,” states the unified agenda without offering a date for such a determination.
Other cyber-related items in the agenda include proposed rules for DHS contractors that handle “unclassified” but sensitive data, such as “personally identifiable information.”
The proposed rules were issued by the Obama administration and the public comment period was extended in April 2017. The Trump administration's regulatory agenda says a decision on whether to issue final rules has yet “to be determined.”
“Specifically, the rule would define key terms, outline security requirements and inspection provisions for contractor information technology (IT) systems that store or process sensitive information, institute incident notification and response procedures, and identify post-incident credit monitoring requirements,” according to the unified agenda.
The agenda also puts off a decision on final rules for DHS contractors that would “standardize information technology security awareness training” for the handling of controlled unclassified information, or CUI. The proposed rules would set requirements “for contractor and subcontractor employees who access DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting” CUI, according to the unified agenda.
The proposed rules were issued in January 2017 and the comment period ended in April following a one-month deadline extension. Whether DHS will issue a final rule is “to be determined,” according to the agenda.
The Trump administration has been pushing a regulatory rollback agenda since coming into office, so a suspension of DHS decisions on new rules for sensitive data is not surprising. -- Rick Weber (email@example.com)