Infrastructure protectionU.S. may already have authority to issue infrastructure protection regulations

While the president and Congress debate the cybersecurity bill, the White House Office of Management and Budget may already have sufficient statutory authority to enact new regulations through the normal notice-and-comment rulemaking process.

The Data Quality Act (DQA) sets the standards for the integrity of data used by federal agencies in public disseminations. Cybersecurity breaches could compromise federal data; as a result the OMB has defined the provisions of the law to encompass FISMA and other information security policies.

The DQA’s Integrity, Objectivity and Utility requirements apply to third-party data used and relied on by federal agencies as well as to federally-generated data, CircleID reports. The Office of Information and Regulatory Affairs administrator told CircleID “If third-party submissions are to be used and disseminated by federal agencies, it is the responsibility of the federal government, under the Information-Quality Act, to make sure that such information meets relevant information-quality standards.”

Now the question is: does the federal government have the authority to issue regulations that protect federal data from third parties?

The DQA states that the “Director of the Office of Management and Budget shall…with public and Federal agency involvement, issue guidelines under sections 3504(d)(1) and 3516 of title 44, United States Code, that provide policy and procedural guidance to Federal agencies for ensuring and maximizing the quality, objectivity, utility, and integrity of information (including statistical information) disseminated by Federal agencies…”

A plain reading of the text says” no,” because the law authorizes guidance to federal agencies, not the private sector; but if you look at the OMB’s authority in the Paperwork Reduction Act (PRA) as cited in the DQA, it might give the OMB the power to enact their own regulations.

44 USC 3504(d)(1), of the U.S. Code’s Subchapter on Federal Information Policy, states that with “respect to information dissemination, the Director shall develop and oversee the implementation of policies, principles, standards, and guidelines to — (1) apply to Federal agency dissemination of public information, regardless of the form or format in which such information is disseminated;”

This section gives the director the power to take any action regarding almost all information which is publicly disseminated by the executive branch.  The other section of the code referenced by the DQA 3516 states, “Director shall promulgate rules, regulations, or procedures necessary to exercise the authority provided by this subchapter.” 

This means the Congress grants the director the authority to issue binding rules and regulations to carry out the DQA in order to protect the integrity of data.

The DQA thus gives the OMB the duty to protect the integrity, utility, and objectivity of data used in federal information disseminations, as well as the authority to create binding rules carrying the force of law in order to fulfill its DQA duties. 

CircleID concludes that while this does not mean the OMB has the right to issue regulations outright, it could be explored further in the event that the cybersecurity bill does not pass.