Home / Blogs

Do Agencies Already Have the Authority to Issue Critical Infrastructure Protection Regulations?

The President and Congress are deliberating how best to ensure appropriate cybersecurity protection for private sector critical infrastructure. Legislative action and Executive Order are both under consideration. It is possible, however, that the White House Office of Management and Budget (OMB) already has sufficient statutory authority to enact new cybersecurity regulations through the normal notice-and-comment rulemaking process.

The Data (Information) Quality Act (DQA, aka IQA) sets standards for the integrity of data used by federal agencies in public information disseminations. Since cybersecurity breaches have the potential to compromise the integrity of federal data, OMB has defined the integrity provisions of the law to encompass FISMA and other federal information security policies.

Moreover, the DQA's Integrity, Objectivity and Utility requirements apply to third-party data used and relied on by federal agencies as well as to federally-generated data. In explaining the applicability of the DQA to third-party data, then Office of Information and Regulatory Affairs Administrator Graham stated, "If third-party submissions are to be used and disseminated by federal agencies, it is the responsibility of the federal government, under the Information-Quality Act, to make sure that such information meets relevant information-quality standards."

The question arises therefore, as to whether the DQA provides the federal government with the authority to issue regulations protecting the integrity of data obtained from third parties, prior to its submission to the government, given the federal responsibility of making sure that such data "meets relevant information-quality standards."

The DQA states that the "Director of the Office of Management and Budget shall...with public and Federal agency involvement, issue guidelines under sections 3504(d)(1) and 3516 of title 44, United States Code, that provide policy and procedural guidance to Federal agencies for ensuring and maximizing the quality, objectivity, utility, and integrity of information (including statistical information) disseminated by Federal agencies..."

Based on a plain reading of the text, the answer appears to be no since the law authorizes guidance to federal agencies, not regulations binding on the private sector. Although this straightforward reading of the statute may well prove to be correct, it's worth exploring the scope of OMB's authority under the Act given the two sections of the Paperwork Reduction Act (PRA) cited in the DQA. In particular, as discussed below, OMB's DQA authority needs to be understood in light of the law's interpretation by the US Court of Appeals for the DC Circuit.

44 USC 3504(d)(1), part of the US Code's Subchapter on Federal Information Policy, states that with "respect to information dissemination, the Director shall develop and oversee the implementation of policies, principles, standards, and guidelines to — (1) apply to Federal agency dissemination of public information, regardless of the form or format in which such information is disseminated;"

This section of the Code gives the Director permission to take actions with respect to virtually all information publicly disseminated by the Executive Branch. By citing 3504(d)(1), the DQA is granting the Director broad authority, on an intra-governmental level, to protect the integrity (and objectivity and utility) of data disseminated by agencies.

The other section of the Code referenced by the DQA, 3516, states that the "Director shall promulgate rules, regulations, or procedures necessary to exercise the authority provided by this subchapter." Thus, even though the DQA refers to "guidance," by utilizing section 3516 of the PRA, Congress appears to grant the Director the authority to issue binding rules and regulations to carry out the DQA, including protecting the integrity of data disseminated by agencies.

The DC Circuit Court's decision in Prime Time Int'l Co. v. Vilsack provides additional insight into the Director's authority under the DQA. In a unanimous opinion the court stated that "Congress delegated to OMB authority to develop binding guidelines implementing the IQA...." Moreover, in deferring to OMB's reasonable construction of the statue, the decision stated, "See United States v. Mead, 533 U.S. 218, 226 — 27 (2001)."

The Center for Regulatory Effectiveness (CRE), in groundbreaking analysis opined,

The citation of Mead at those particular pages is significant. The only statement by the Supreme Court in Mead that overlaps those two pages is the following: "We hold that administrative implementation of a particular statutory provision qualifies for Chevron deference when it appears that Congress delegated authority to the agency generally to make rules carrying the force of law, and that the agency interpretation claiming deference was promulgated in the exercise of that authority.” (Emphasis added)

A detailed analysis of the Prime Time decision by Multinational Legal Services, PLLC supporting CRE's statement may be found here. The MLS analysis explained that:

The Mead opinion makes clear that when an agency issues a rule that is entitled to Chevron-level deference, "any ensuing regulation is binding in the courts unless procedurally defective, arbitrary or capricious in substance, or manifestly contrary to the statute."

It is important to note that the Department of Justice, representing USDA, took exception to CRE's interpretation of the Prime Time decision. So strong was DOJ's disagreement with CRE's understanding of the opinion that they filed a Petition for a Panel Rehearing of a case they had already won, asking "the panel amend its opinion to clarify that the Court did not decide whether the Information Quality Act ("IQA") creates judicially enforceable rights." DOJ took the extraordinary step of including a printout of CRE's website as Exhibit B of their petition. The court rejected the DOJ petition.

Thus, we can see that the DQA gives OMB: 1) the duty to protect the integrity, utility and objectivity of data used in federal information disseminations; and 2) the authority to create binding rules carrying the force of law in order to fulfil its DQA duties. Moreover, we have seen that the scope of the DQA encompasses data collected by agencies from third parties that is then used in federal information disseminations.

Does this mean that the DQA gives OMB the authority to issue regulations protecting the integrity of third-party data used in federal information disseminations? Not necessarily but the issue is worthy of further analysis.

By Bruce Levinson, SVP, Regulatory Intervention - Center for Regulatory Effectiveness

Related topics: Cyberattack, Cybercrime, Data Center, Regional Registries, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

The FCC has long had authority pursuant Anthony Rutkowski  –  Aug 21, 2012 5:00 AM PDT

The FCC has long had authority pursuant to the Communications Act of 1934 and subsequent enabling legislation to protect critical communications infrastructure.  In the radio sector, it has exercised that jurisdiction rather extensively.  In the non-radio arena, its actions have been significantly restrained.

Agreed Bruce Levinson  –  Aug 21, 2012 7:07 AM PDT

Mr. Rutkowski is correct about the Communications Act.  There are other statutes which also provide agencies the authority to regulate various aspects of critical infrastructure protection, all of which support the article's central thesis that additional legislation may well not be necessary for CIP regulations.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Sponsored Topics