On December 18, 2014, President Obama signed into law five cybersecurity-related bills aimed at protecting federal agencies from cybersecurity threats. The bills advance President Obama’s 2012 Executive Order “Improving Critical Infrastructure Cybersecurity” by improving the protection of the Nation’s critical infrastructure from cyber threats, increasing sharing of cyber threat information between the public and private sectors, and creating a framework to reduce cyber risks to critical infrastructure.
These bills were the first cybersecurity legislation to be passed since the E-Government Act of 2002, which included the Federal Information Security Management Act of 2002 (“FISMA”).
Federal Information Security Modernization Act of 2014: updates FISMA. Senator Tom Carper, Chairman of the Senate Homeland Security and Governmental Affairs Committee, described the bill as “moderniz[ing] our outdated federal network security laws, provid[ing] the tools authorities need to improve security at our federal agencies, and increase[ing] transparency and accountability for data breaches at federal agencies.” Among other things, FISMA was updated to direct federal agencies to shift from a checklist-method of monitoring cybersecurity to real-time monitoring of federal computer networks.
National Cybersecurity Protection Act: formally establishes the National Cybersecurity and Communications Integration Center (“NCCIC”) in the Department of Homeland Security to oversee critical infrastructure protection, cybersecurity, and related programs. NCCIC will be an interface for the public and private sectors to share information about cybersecurity risks, incidents, analysis, and warnings, and to collaborate in operations. The bill tables any discussion of liability with regards to private companies that choose to share information with the government. Instead, it instructs the Secretary of the Department of Homeland Security to develop procedures for public-private information sharing and make recommendations to Congress on how to implement information sharing agreements.
Cybersecurity Workforce Assessment Act: to allow for the recruitment of the best and brightest cybersecurity professionals, this Act calls for the Secretary of the Department of Homeland Security to develop, maintain, and update a comprehensive strategy to “enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce of the Department.”
Homeland Security Workforce Assessment Act: this was a rider on the Border Patrol Agent Pay Reform Act, and similar to the Cybersecurity Workforce Assessment Act, allows the Department of Homeland Security to create positions related to cybersecurity and to exempt certain cybersecurity employees from regular government hiring rules, including providing such employees with “additional compensation, incentives, and allowances.”
Cybersecurity Enhancement Act: gives the Department of Commerce the authority, acting through the Director of the National Institute of Standards and Technology (“NIST”), to develop voluntary standards to reduce cyber risks to critical infrastructure. It also directs the White House’s Office of Science and Technology Police to develop a federal cyber research and development strategic plan.
Although some, including Jeh Johnson, Secretary of the Department of Homeland Security and Senator Jay Rockefeller, appreciate the progress this legislation will make in advancing federal cybersecurity efforts, others have pointed out holes in the legislation. For example, Senator McCain issued a press release stating that “Congress . . . must . . . finally pass long-overdue comprehensive cybersecurity legislation.” Overall, the bills demonstrate government interest in addressing ever-increasing cybersecurity issues and, especially given the newly-created House information subcommittee focused on cybersecurity, comprehensive legislation may be on the way.
Photo by U.S. Department of Agriculture from Flickr