By Caleb Skeath
Congress approved a package of five cybersecurity bills after a series of votes in the House and Senate this week, increasing the likelihood that some cybersecurity-related legislation will be signed into law by the end of this year. None of the bills address some of the larger, more contentious cybersecurity issues, such as immunity for private companies that share cybersecurity threat information with the federal government. Instead, the bills focus on narrower cybersecurity issues and the structures and procedures of the federal agencies that oversee cybersecurity. Two of the measures, S. 2519 and S. 2521, are primarily focused on centralizing the federal government’s cybersecurity efforts and enhancing information sharing with the private sector, while another, S. 1353, provides for the development of a voluntary set of cybersecurity standards for the private sector. The remaining bills, S. 1691 and H.R. 2592, are focused on strengthening the Department of Homeland Security’s cybersecurity workforce and recruitment efforts.
The National Cybersecurity Protection Act of 2014, S. 2519, would codify the Department of Homeland Security’s existing National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC would provide a platform for the government and private sector to share information about cybersecurity threats, incident response, and technical assistance. The bill requires the Center to include representatives of federal agencies, state and local governments, and private sector owners and operators of critical information systems. However, the bill gives the Undersecretary of Homeland Security discretion about including governmental or private entities in the center’s operations. The House also passed the Federal Information Security Modernization Act of 2014, S. 2521, which amends the 2002 Federal Information Security Management Act to centralize federal government cybersecurity management within the Department of Homeland Security. The bill maintains the Director of the Office of Management and Budget’s existing authority over federal civilian agency information security policies while delegating authority to the Homeland Security Secretary to implement these policies. The bill also delegates implementation authority for defense-related and intelligence-related information security to the Secretary of Defense and the Director of National Intelligence, respectively. The bill also codifies the OMB’s directive, issued this past October, that gives DHS authority to scan the networks of other federal civilian government agencies. Both S. 2521 and S. 2519 passed the Senate earlier in the week and now await the President’s signature.
The House also passed the Cybersecurity Enhancement Act of 2014, S. 1353, which allows the Director of the National Institute of Standards and Technology to facilitate the development of a “voluntary, industry-led, consensus-based” set of cybersecurity standards and best practices for “critical infrastructure.” The bill calls for the Director of NIST to coordinate closely with the private sector in developing these standards, which should incorporate industry best practices and align with voluntary international cybersecurity standards “to the fullest extent possible.” In addition, federal, state, and local governments are forbidden from using information shared by a private entity to develop such standards for the purpose of regulating that entity.
Under the Cybersecurity Enhancement Act, the Director of NIST will serve as a coordinator for the federal government’s involvement in the development of international cybersecurity standards, consulting with federal agencies and private sector stakeholders as appropriate. The Director of NIST is also responsible for developing a strategy for increased use of cloud computing technology by the government, which will include support for private sector efforts to enhance standardization and interoperability of cloud computing services. In addition, federal agencies and departments, working through the National Science and Technology Council and the Networking and Information Technology Research and Development Program, must develop a federal cybersecurity research and development strategic plan that will be updated every four years. The strategic plan will be developed in cooperation with industry and academic stakeholders to ensure that the plan is not duplicative of private sector research and development efforts. Finally, the Act also creates a “scholarship-for-service” program for federal cybersecurity workers, as well as a cybersecurity education and awareness program that will be developed by the Director of NIST in consultation with public- and private-sector stakeholders.
Finally, the House passed two bills that focus on strengthening the federal government’s cybersecurity workforce. S. 1691, which includes provisions from the DHS Cybersecurity Workforce Recruitment and Retention Act, would improve hiring procedures and compensation ranges for cybersecurity positions at the Department of Homeland Security. Under the provisions of the bill, the Department of Homeland Security is required to pay cybersecurity workers similar to the salary that cybersecurity positions receive in the Defense Department. The bill also requires DHS to file annual reports on its recruitment and retention of cybersecurity workers. The House also passed H.R. 2952, the Cybersecurity Workforce Assessment Act, as amended by the Senate. The bill would require the Department of Homeland Security to conduct an assessment of its cybersecurity workforce every three years, in addition to developing a strategy for enhancing the recruitment and training of cybersecurity employees. Both bills previously passed the Senate and now await the President’s signature.