Home / Blogs

Do Agencies Already Have the Authority to Issue Critical Infrastructure Protection Regulations?

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.

The President and Congress are deliberating how best to ensure appropriate cybersecurity protection for private sector critical infrastructure. Legislative action and Executive Order are both under consideration. It is possible, however, that the White House Office of Management and Budget (OMB) already has sufficient statutory authority to enact new cybersecurity regulations through the normal notice-and-comment rulemaking process.

The Data (Information) Quality Act (DQA, aka IQA) sets standards for the integrity of data used by federal agencies in public information disseminations. Since cybersecurity breaches have the potential to compromise the integrity of federal data, OMB has defined the integrity provisions of the law to encompass FISMA and other federal information security policies.

Moreover, the DQA's Integrity, Objectivity and Utility requirements apply to third-party data used and relied on by federal agencies as well as to federally-generated data. In explaining the applicability of the DQA to third-party data, then Office of Information and Regulatory Affairs Administrator Graham stated, "If third-party submissions are to be used and disseminated by federal agencies, it is the responsibility of the federal government, under the Information-Quality Act, to make sure that such information meets relevant information-quality standards."

The question arises therefore, as to whether the DQA provides the federal government with the authority to issue regulations protecting the integrity of data obtained from third parties, prior to its submission to the government, given the federal responsibility of making sure that such data "meets relevant information-quality standards."

The DQA states that the "Director of the Office of Management and Budget shall...with public and Federal agency involvement, issue guidelines under sections 3504(d)(1) and 3516 of title 44, United States Code, that provide policy and procedural guidance to Federal agencies for ensuring and maximizing the quality, objectivity, utility, and integrity of information (including statistical information) disseminated by Federal agencies..."

Based on a plain reading of the text, the answer appears to be no since the law authorizes guidance to federal agencies, not regulations binding on the private sector. Although this straightforward reading of the statute may well prove to be correct, it's worth exploring the scope of OMB's authority under the Act given the two sections of the Paperwork Reduction Act (PRA) cited in the DQA. In particular, as discussed below, OMB's DQA authority needs to be understood in light of the law's interpretation by the US Court of Appeals for the DC Circuit.

44 USC 3504(d)(1), part of the US Code's Subchapter on Federal Information Policy, states that with "respect to information dissemination, the Director shall develop and oversee the implementation of policies, principles, standards, and guidelines to — (1) apply to Federal agency dissemination of public information, regardless of the form or format in which such information is disseminated;"

This section of the Code gives the Director permission to take actions with respect to virtually all information publicly disseminated by the Executive Branch. By citing 3504(d)(1), the DQA is granting the Director broad authority, on an intra-governmental level, to protect the integrity (and objectivity and utility) of data disseminated by agencies.

The other section of the Code referenced by the DQA, 3516, states that the "Director shall promulgate rules, regulations, or procedures necessary to exercise the authority provided by this subchapter." Thus, even though the DQA refers to "guidance," by utilizing section 3516 of the PRA, Congress appears to grant the Director the authority to issue binding rules and regulations to carry out the DQA, including protecting the integrity of data disseminated by agencies.

The DC Circuit Court's decision in Prime Time Int'l Co. v. Vilsack provides additional insight into the Director's authority under the DQA. In a unanimous opinion the court stated that "Congress delegated to OMB authority to develop binding guidelines implementing the IQA...." Moreover, in deferring to OMB's reasonable construction of the statue, the decision stated, "See United States v. Mead, 533 U.S. 218, 226 — 27 (2001)."

The Center for Regulatory Effectiveness (CRE), in groundbreaking analysis opined,

The citation of Mead at those particular pages is significant. The only statement by the Supreme Court in Mead that overlaps those two pages is the following: "We hold that administrative implementation of a particular statutory provision qualifies for Chevron deference when it appears that Congress delegated authority to the agency generally to make rules carrying the force of law, and that the agency interpretation claiming deference was promulgated in the exercise of that authority.” (Emphasis added)

A detailed analysis of the Prime Time decision by Multinational Legal Services, PLLC supporting CRE's statement may be found here. The MLS analysis explained that:

The Mead opinion makes clear that when an agency issues a rule that is entitled to Chevron-level deference, "any ensuing regulation is binding in the courts unless procedurally defective, arbitrary or capricious in substance, or manifestly contrary to the statute."

It is important to note that the Department of Justice, representing USDA, took exception to CRE's interpretation of the Prime Time decision. So strong was DOJ's disagreement with CRE's understanding of the opinion that they filed a Petition for a Panel Rehearing of a case they had already won, asking "the panel amend its opinion to clarify that the Court did not decide whether the Information Quality Act ("IQA") creates judicially enforceable rights." DOJ took the extraordinary step of including a printout of CRE's website as Exhibit B of their petition. The court rejected the DOJ petition.

Thus, we can see that the DQA gives OMB: 1) the duty to protect the integrity, utility and objectivity of data used in federal information disseminations; and 2) the authority to create binding rules carrying the force of law in order to fulfil its DQA duties. Moreover, we have seen that the scope of the DQA encompasses data collected by agencies from third parties that is then used in federal information disseminations.

Does this mean that the DQA gives OMB the authority to issue regulations protecting the integrity of third-party data used in federal information disseminations? Not necessarily but the issue is worthy of further analysis.

By Bruce Levinson, SVP, Regulatory Intervention - Center for Regulatory Effectiveness

Related topics: Cyberattack, Cybercrime, Data Center, Regional Registries, Security



The FCC has long had authority pursuant Anthony Rutkowski  –  Aug 21, 2012 5:00 AM PDT

The FCC has long had authority pursuant to the Communications Act of 1934 and subsequent enabling legislation to protect critical communications infrastructure.  In the radio sector, it has exercised that jurisdiction rather extensively.  In the non-radio arena, its actions have been significantly restrained.

Agreed Bruce Levinson  –  Aug 21, 2012 7:07 AM PDT

Mr. Rutkowski is correct about the Communications Act.  There are other statutes which also provide agencies the authority to regulate various aspects of critical infrastructure protection, all of which support the article's central thesis that additional legislation may well not be necessary for CIP regulations.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities