President Obama’s executive order on cybersecurity is “close to completion,” Homeland Security Secretary Janet Napolitano said Wednesday.

Speaking to the Senate Committee on Homeland Security and Governmental Affairs, Napolitano said a draft is held up only by “a few issues that need to be resolved at the highest levels,” then Obama’s review and signature.

Numerous sources indicate that the executive order is based on the Cybersecurity Act of 2012 (CSA), a bill Obama had long supported that was defeated in the Senate in August. Though a draft of the order was leaked and made public Friday, it’s unclear what steps the final version will take to ensure user privacy, a constant concern with cybersecurity laws, many of which include provisions to allow government agencies to view private user data in case of an attack.

A White House representative refused to comment on “ongoing internal deliberations” but promised a general commitment to privacy. Senator Ron Wyden (D-Ore.), who’s been outspoken on the balance the U.S. needs to strike between cybersecurity and user privacy, told the Daily Dot that a sensible policy on cybersecurity would “make a distinction between [companies devoted to] infrastructure and social media,” and only allow the law to apply to networks that manage things like energy and transportation systems.

Napolitano said that the draft would include the very provision that likely got the CSA killed by Senate Republicans: a program that would encourage companies that manage infrastructure to adopt stricter cybersecurity standards on their own. Critics of that program said this would lead to making such standards mandatory, which would be an unfair burden on businesses.

This won’t be an exact CSA clone, though. For instance, the limited scope of an executive order means it can’t add new cybersecurity specialists to the Department of Homeland Security or offer liability protection to companies who are attacked, or increase penalties for cyber criminals.

Photo of Napolitano via Wikimedia Commons