LLMpediaThe first transparent, open encyclopedia generated by LLMs

Executive Order 13636 (2013)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: US‑CERT Hop 4
Expansion Funnel Raw 88 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted88
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Executive Order 13636 (2013)
TitleExecutive Order 13636
Issued byBarack Obama
Date issuedFebruary 12, 2013
RelatedPresidential Policy Directive 21, National Institute of Standards and Technology, Department of Homeland Security, Department of Commerce, United States Computer Emergency Readiness Team, Federal Information Security Management Act of 2002

Executive Order 13636 (2013) was a 2013 presidential directive issued by Barack Obama addressing cybersecurity risk in critical infrastructure. The order directed Department of Homeland Security, Department of Commerce, National Institute of Standards and Technology, and other agencies to collaborate with the private sector to improve cybersecurity posture across sectors such as energy industry, financial services industry, telecommunications, and healthcare industry. It spurred development of the NIST Cybersecurity Framework, catalyzed public–private partnerships, and intersected with contemporaneous initiatives from Congress of the United States and state-level actors.

Background and legislative context

The order emerged amid escalating incidents involving actors linked to Advanced Persistent Threats, notable breaches like those affecting Target Corporation, Sony Pictures Entertainment (2014 cyberattack), and compromises attributed to actors associated with People's Republic of China. Policymakers referenced statutes and initiatives including Homeland Security Act of 2002, Federal Information Security Modernization Act of 2014, and debates in the United States Senate and United States House of Representatives over proposed bills such as the Cybersecurity Information Sharing Act of 2015. Influential reports from Presidential Commission on Enhancing National Cybersecurity, Council of Economic Advisers, and testimony before committees chaired by members of the Senate Committee on Homeland Security and Governmental Affairs shaped executive attention. International incidents involving Stuxnet, NotPetya, and tensions with Russian Federation reinforced urgency and framed the order relative to treaties like the Budapest Convention on Cybercrime.

Provisions and objectives

The order mandated development of a voluntary risk-based cybersecurity standards framework by National Institute of Standards and Technology to reduce cyber risk to critical infrastructure sectors including electrical grid, water supply, transportation systems, and financial networks. It authorized enhanced information sharing mechanisms among entities such as the Information Sharing and Analysis Centers, United States Computer Emergency Readiness Team, and sector-specific agencies including the Department of Energy and Department of Health and Human Services. The directive called for pilot programs, metrics development, and prioritization of research by agencies including National Science Foundation, Department of Defense, and Department of Commerce to support resilience against threats attributed to groups like Equation Group and criminal organizations investigated by Federal Bureau of Investigation.

Implementation and NIST Cybersecurity Framework

National Institute of Standards and Technology led stakeholder-driven development of the NIST Cybersecurity Framework through workshops involving companies such as Microsoft, Google, IBM, AT&T, and Verizon Communications. The framework produced categories—Identify, Protect, Detect, Respond, Recover—aligned with international standards like ISO/IEC 27001 and influenced sector guidance from North American Electric Reliability Corporation and Financial Services Information Sharing and Analysis Center. Implementation efforts included cross-sector pilot programs and collaboration with academic centers such as Carnegie Mellon University and Massachusetts Institute of Technology to advance metrics and best practices. The framework was iterated in response to events like breaches at Target Corporation and Anthem Inc. and was incorporated into procurement and risk-management discussions at organizations including General Electric and ExxonMobil.

Government and industry roles

The order delineated roles for federal agencies—Department of Homeland Security for infrastructure protection, Department of Commerce via NIST for standards development, and Office of Management and Budget for federal alignment—while emphasizing voluntary adoption by private owners and operators including American Electric Power and JPMorgan Chase. It encouraged collaboration with trade associations such as U.S. Chamber of Commerce, Information Technology Industry Council, and Financial Services Roundtable, and with nonprofit entities including Center for Strategic and International Studies and Brookings Institution conducting policy analysis. Law enforcement and intelligence contributions from Federal Bureau of Investigation and National Security Agency informed threat assessments, though debates arose over classification and sharing with companies and state actors like California and New York (state) regulators.

Reception and impact

Reactions spanned praise from corporations and advocacy organizations for providing a voluntary, flexible approach, to criticism from privacy advocates associated with American Civil Liberties Union and scholars at Harvard Kennedy School concerned about information sharing and civil liberties. Industry adoption of the NIST Cybersecurity Framework grew among Fortune 500 firms and utilities overseen by Federal Energy Regulatory Commission, while some legislators and state officials pressed for mandatory rules, citing examples from European Union regulation such as the NIS Directive. Studies from Deloitte, McKinsey & Company, and Gartner analyzed adoption rates and economic impacts; think tanks including Heritage Foundation and Center for American Progress offered divergent assessments of effectiveness.

Subsequent developments and legacy

The order's legacy includes influence on later policies like Presidential Policy Directive 21, incorporation into Federal Risk and Authorization Management Program discussions, and shaping incentives in legislation including the Cybersecurity Information Sharing Act of 2015. Internationally, the framework informed voluntary alignment by entities in United Kingdom, Canada, Australia, and members of the Organisation for Economic Co-operation and Development. Debates over voluntary versus mandatory regimes persisted in forums such as the World Economic Forum and United Nations General Assembly cyber discussions. The initiative also accelerated investment in startups and research by institutions such as Stanford University and University of California, Berkeley, and remains referenced in executive branch planning, sector risk assessments, and corporate governance by boards including those at Siemens and Toyota Motor Corporation.

Category:United States executive orders