The notice also asks for feedback on incentives that would promote the adoption of bolstered cyber defenses across industry.
In the cyber order, the president tasked the Commerce Department's National Institute of Standards and Technology to work with industry to craft a set of cybersecurity standards and best practices that critical infrastructure firms could incorporate into their computer systems. After those standards are developed, companies that power key infrastructure would then elect to join the DHS-led program, in which they would follow that cyber framework.
But an executive order cannot grant new powers or authorities, which prevents the administration from offering companies key incentives for joining the program, such as liability protection from lawsuits if businesses are hit by a cyberattack. Most incentives need to be enacted by congressional legislation.
For this reason, the president charged the Commerce Department, as well as the Treasury and Homeland Security departments, to come with up possible incentives — both inside and outside the parameters of the executive order — that would encourage industry participation in the DHS program.
"To develop a clearer picture of existing and potential incentives, the executive order directs the Department of Commerce to recommend ways to promote participation in the program," the department's notice of inquiry reads. "The recommendations 'shall include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants of the program.' "
The notice also calls for recommendations on "a broader set of incentives that could help to promote the adoption of proven efforts to address cybersecurity vulnerabilities" among firms that do not join the program, or do not power critical infrastructure.
The notice includes a lengthy list of questions for stakeholders to answer in their responses, including whether particular industries lack sufficient incentives to invest in their computer security, how insurance can be used as an incentive for companies to boost their network defenses, and if there are barriers that prevent companies from investing in their cybersecurity defenses.
The Commerce Department will submit its recommendations to the president by June 12.