"The PPD is focused on clarifying Federal roles and responsibilities; integrating physical security and cybersecurity analysis and situational awareness; improving information sharing; and having the Federal government function more effectively to be a better partner to the critical infrastructure owners and operators," she added.
The Presidential directive identifies 16 critical infrastructure sectors, including the Chemical, Commercial Facilities, Critical Manufacturing, Dams, Defense Industrial Base, Energy, Financial Services, Information Technology, Nuclear Reactors and Water and Wastewater systems.
The DHS is the designated federal agency for 10 of these sectors, including IT, Critical Manufacturing and Communication. The Treasury Department will oversee the identifying of critical infrastructure entities within the financial services sector while the Department of Defense will oversee the Defense Industrial Base sector.
The language in the executive order significantly broadens the number of entities that can be classified as being part of the country's critical infrastructure, said Andrew Serwin, chair of the privacy, security and information management practice at law firm Foley & Lardner LLP.
The order defines critical infrastructure as any organization and associated systems where a cyberattack could pose a threat to U.S. national security, public safety and health or economic interests.
So businesses that support or partner with companies and federal agencies from the listed as part of the critical infrastructure sector could be designated as well. "I think that you could see a variety of other industries getting sucked into the definition of critical infrastructure," Serwin said.
It's unclear yet what risk criteria the federal agencies will use to identify entities, he said. "But you could see a scenario where any business of a certain size" could be considered critical.
Obama's order does not require private sector owners and operators of critical infrastructure to adopt any of the new security standards and best practices. But they will be pressured to adopt them anyway from a due diligence standpoint, Serwin maintained.
"There are huge brand issues with cybersecurity and privacy," Serwin said. "If you are in a designated critical infrastructure category, you don't want to be the company that didn't follow the recommendations."
A wide range of companies from the health care, IT, financial services and other sectors need to determine whether they could be designated as part of the critical infrastructure sector under the executive order, said David Ransom, a partner at law firm McDermott Will & Emery.