Later this week, I will post a broader overview of what has been going on in Washington around tech, but Congress has been working over the last week... in almost every sense of the word. Improving our cybersecurity laws is a big beneficiary of that work. Here’s some of cybersecurity legislation making it to the President’s desk before Christmas, and what ended up as a lump of coal:
NICE:
S. 1353 - Cybersecurity Enhancement Act of 2014: This bipartisan legislation from Senators Rockefeller (D-WV) and Thune (R-SD) codifies much of the work underway at the National Institute for Standards and Technology in creating voluntary consensus standards, as well as promoting education and awareness campaigns. It also directs more efforts towards cybersecurity research and development, as well as workforce development activities through the Office of Science and Technology Policy, Department of Commerce, National Science Foundation, and the Department of Homeland Security.
The key takeaway for states? The legislation specifically requires the federal government “to identify, develop, and recruit talented individuals to perform duties relating to the security of information technology in Federal, State, local, and tribal government agencies….” This includes scholarships for cybersecurity professionals pledging to serve at any level of government, as well as funding for training and recruitment. NASCIO endorsed this legislation in September of 2013.
S.2521 - Federal Information Security Modernization Act of 2014: This bill, co-sponsored by Senate Homeland Security and Governmental Affairs Committee Chair Sen. Tom Carper (D-DE) and Ranking Member Tom Coburn (R-OK), reforms the Federal Information Security Management Act of 2002 (FISMA) to more clearly delineate that the Office of Management and Budget has policy oversight over FISMA, and DHS with operational oversight. In addition, it pushes agencies away from a checklist-style audit approach to security and towards “automated security tools to continuously diagnose and improve security.” Hopefully, this will assist in the ongoing effort to harmonize the varied patchwork of federal agency security standards that are mandated upon states via grant rules.
S. 2519 - National Cybersecurity Protection Act of 2014: Formally authorizes the Department of Homeland Security’s (DHS) ongoing activities around cybersecurity, including the National Cybersecurity and Communications Integration Center (NCCIC). It requires DHS to create a “Cyber Incident Response Plan” in cooperation with state and local governments, as well as the private sector, and continue their efforts to provide clearances to outside entities that are participating in information sharing activities. In addition to the aforementioned Senate Homeland Security and Government Affairs Committee leadership, House Homeland Security Committee Chair Michael McCaul's (R-TX) gets some credit for working out the differences between the House and Senate to get this done.
NAUGHTY:
S. 2244 - Terrorism Risk Insurance Program Reauthorization Act: This bill to extend a federal backstop for insurance that covers major acts of terrorism—including cyber incidents—died on the vine last night despite overwhelming support from both parties. The bill simply extended the Terrorism Insurance Program that was initially created under the Terrorism Insurance Act of 2002. It was held by Senator Coburn (R-OK) due to a relatively unrelated segment of the legislation that allows for the licensing of insurance brokers in states beyond their home jurisdiction. With the House already in recess, there is no chance for changing the legislation before the existing law expires on December 31. It will certainly come back up again in 2015.
H.R.83 - Consolidated and Further Continuing Appropriations Act, 2015: DHS only received a continuing resolution that will fund the agency through February 27 at FY 2014 levels. While the act will fund the most important cybersecurity activities at DHS without a hitch, state and local grant programs that run through FEMA such as the National Preparedness Grant Program (NPGP) will ultimately be delayed until Congress decides on funding levels well into next year. This could impact funding for some cybersecurity activities in the states, although the vast majority of NPGP funding does not go towards cybersecurity.
ALSO OF INTEREST:
H.R.83 - Consolidated and Further Continuing Appropriations Act, 2015—CJS Section: The Commerce-Justice-Science Appropriations provisions in the appropriations bill added significant heft to the Department of Justices’ cybersecurity capacity, supporting ongoing efforts to boost the agencies’ efforts in cybersecurity. More can be found here from Rep Frank Wolf (R-VA).
Congress passed two bills that will improve DHS’ cyber-workforce. H.R. 2952 - Cybersecurity Workforce Assessment Act requires DHS to develop a cyber-workforce assessment and long-term strategy “to enhance the readiness, capacity, training, recruitment, and retention.” It also provides for a cybersecurity fellowship program. In addition, S. 1691 – The Border Patrol Agent Pay Reform Act of 2014 included the authority for DHS to hire senior cybersecurity professionals at higher rates of pay. While this could detrimentally impact states ability to recruit qualified individuals directly, that will likely be outweighed by having a federal partner with more expertise and qualified cyber personnel to collaborate with the states.
More to come on many other issues later this week!