Home / Blogs

Do Agencies Already Have the Authority to Issue Critical Infrastructure Protection Regulations?

The President and Congress are deliberating how best to ensure appropriate cybersecurity protection for private sector critical infrastructure. Legislative action and Executive Order are both under consideration. It is possible, however, that the White House Office of Management and Budget (OMB) already has sufficient statutory authority to enact new cybersecurity regulations through the normal notice-and-comment rulemaking process.

The Data (Information) Quality Act (DQA, aka IQA) sets standards for the integrity of data used by federal agencies in public information disseminations. Since cybersecurity breaches have the potential to compromise the integrity of federal data, OMB has defined the integrity provisions of the law to encompass FISMA and other federal information security policies.

Moreover, the DQA’s Integrity, Objectivity and Utility requirements apply to third-party data used and relied on by federal agencies as well as to federally-generated data. In explaining the applicability of the DQA to third-party data, then Office of Information and Regulatory Affairs Administrator Graham stated, “If third-party submissions are to be used and disseminated by federal agencies, it is the responsibility of the federal government, under the Information-Quality Act, to make sure that such information meets relevant information-quality standards.”

The question arises therefore, as to whether the DQA provides the federal government with the authority to issue regulations protecting the integrity of data obtained from third parties, prior to its submission to the government, given the federal responsibility of making sure that such data “meets relevant information-quality standards.”

The DQA states that the “Director of the Office of Management and Budget shall…with public and Federal agency involvement, issue guidelines under sections 3504(d)(1) and 3516 of title 44, United States Code, that provide policy and procedural guidance to Federal agencies for ensuring and maximizing the quality, objectivity, utility, and integrity of information (including statistical information) disseminated by Federal agencies…”

Based on a plain reading of the text, the answer appears to be no since the law authorizes guidance to federal agencies, not regulations binding on the private sector. Although this straightforward reading of the statute may well prove to be correct, it’s worth exploring the scope of OMB’s authority under the Act given the two sections of the Paperwork Reduction Act (PRA) cited in the DQA. In particular, as discussed below, OMB’s DQA authority needs to be understood in light of the law’s interpretation by the US Court of Appeals for the DC Circuit.

44 USC 3504(d)(1), part of the US Code’s Subchapter on Federal Information Policy, states that with “respect to information dissemination, the Director shall develop and oversee the implementation of policies, principles, standards, and guidelines to—(1) apply to Federal agency dissemination of public information, regardless of the form or format in which such information is disseminated;”

This section of the Code gives the Director permission to take actions with respect to virtually all information publicly disseminated by the Executive Branch. By citing 3504(d)(1), the DQA is granting the Director broad authority, on an intra-governmental level, to protect the integrity (and objectivity and utility) of data disseminated by agencies.

The other section of the Code referenced by the DQA, 3516, states that the “Director shall promulgate rules, regulations, or procedures necessary to exercise the authority provided by this subchapter.” Thus, even though the DQA refers to “guidance,” by utilizing section 3516 of the PRA, Congress appears to grant the Director the authority to issue binding rules and regulations to carry out the DQA, including protecting the integrity of data disseminated by agencies.

The DC Circuit Court’s decision in Prime Time Int’l Co. v. Vilsack provides additional insight into the Director’s authority under the DQA. In a unanimous opinion the court stated that “Congress delegated to OMB authority to develop binding guidelines implementing the IQA….” Moreover, in deferring to OMB’s reasonable construction of the statue, the decision stated, “See United States v. Mead, 533 U.S. 218, 226—27 (2001).”

The Center for Regulatory Effectiveness (CRE), in groundbreaking analysis opined,

The citation of Mead at those particular pages is significant. The only statement by the Supreme Court in Mead that overlaps those two pages is the following: “We hold that administrative implementation of a particular statutory provision qualifies for Chevron deference when it appears that Congress delegated authority to the agency generally to make

rules carrying the force of law

, and that the agency interpretation claiming deference was promulgated in the exercise of that authority.” (Emphasis added)

A detailed analysis of the Prime Time decision by Multinational Legal Services, PLLC supporting CRE’s statement may be found here. The MLS analysis explained that:

The Mead opinion makes clear that when an agency issues a rule that is entitled to Chevron-level deference, “any ensuing regulation is binding in the courts unless procedurally defective, arbitrary or capricious in substance, or manifestly contrary to the statute.”

It is important to note that the Department of Justice, representing USDA, took exception to CRE’s interpretation of the Prime Time decision. So strong was DOJ’s disagreement with CRE’s understanding of the opinion that they filed a Petition for a Panel Rehearing of a case they had already won, asking “the panel amend its opinion to clarify that the Court did not decide whether the Information Quality Act (“IQA”) creates judicially enforceable rights.” DOJ took the extraordinary step of including a printout of CRE’s website as Exhibit B of their petition. The court rejected the DOJ petition.

Thus, we can see that the DQA gives OMB: 1) the duty to protect the integrity, utility and objectivity of data used in federal information disseminations; and 2) the authority to create binding rules carrying the force of law in order to fulfil its DQA duties. Moreover, we have seen that the scope of the DQA encompasses data collected by agencies from third parties that is then used in federal information disseminations.

Does this mean that the DQA gives OMB the authority to issue regulations protecting the integrity of third-party data used in federal information disseminations? Not necessarily but the issue is worthy of further analysis.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Filed Under

Comments

The FCC has long had authority pursuant Anthony Rutkowski  –  Aug 21, 2012 12:00 PM

The FCC has long had authority pursuant to the Communications Act of 1934 and subsequent enabling legislation to protect critical communications infrastructure.  In the radio sector, it has exercised that jurisdiction rather extensively.  In the non-radio arena, its actions have been significantly restrained.

Agreed Bruce Levinson  –  Aug 21, 2012 2:07 PM

Mr. Rutkowski is correct about the Communications Act. There are other statutes which also provide agencies the authority to regulate various aspects of critical infrastructure protection, all of which support the article's central thesis that additional legislation may well not be necessary for CIP regulations.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign