Congress surprised many by passing five cybersecurity bills during the post-election “lame duck” session that concluded last week. The White House has indicated that the President will sign all five measures into law. Congress passed the National Cybersecurity Protection Act in what House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies Chairman Patrick Meehan (R-PA) termed “the first significant cybersecurity legislation in a decade.” The measure codifies the National Cybersecurity and Communications Integration Center (“NCCIC” or “Center”) within the Department of Homeland Security (“DHS”). The NCCIC is an interface for both the federal government and private sector to share cybersecurity risks, analysis and incidents. The Center is charged with enabling real-time integrated action; facilitating cross-sector coordination to address risks, sharing, and analysis; and providing technical assistance, risk management, and security recommendations.
Importantly, Congress also passed the Federal Information Security Modernization Act of 2014, which establishes real-time monitoring of federal computer networks and replaces a requirement in the 12-year-old Federal Information Security Management Act (“FISMA”) by which federal agencies must file checklists to show steps they have taken to secure their IT systems. The legislation, spearheaded by Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-DE) and retiring Sen. Tom Coburn (R-OK), also codifies the DHS’s role in overseeing the implementation of security policies and practices for information systems owned and operated by civilian agencies, as opposed to defense and intelligence agencies, which fall under the umbrella of the Department of Defense.
Third, Congress passed the Cybersecurity Enhancement Act of 2014, which provides for an ongoing, voluntary public-private partnership to strengthen cybersecurity preparedness and the development of a federal cybersecurity research and development plan. The bill, originally introduced by Senate Commerce Committee Chairman Jay Rockefeller (D-WV), essentially codifies the process through which the NIST Cybersecurity Framework was developed. It also allows the federal government to support research, raise public awareness of cyber risks and improve the nation’s cybersecurity workforce.
Fourth, Congress passed legislation to ensure that DHS has a comprehensive strategy for building its cybersecurity workforce. The Cybersecurity Workforce Assessment Act sets timelines for the DHS secretary to assess the readiness and capacity of the department’s cyber workforce to meet its mission; the positions that are vacant or filled, and by whom; and a 10-year projection of the department’s cybersecurity workforce needs and plans to recruit veterans, experienced professionals, the unemployed and those from underserved communities.
Finally, Congress passed the Border Patrol Agent Pay Reform Act, which includes a provision to help DHS recruit and retain cybersecurity professionals. Specifically, the bill empowers the DHS secretary to increase basic pay and offer additional compensation, including benefits, incentives and allowances to fill critical cybersecurity positions.
Despite Congress’ relative success in passing cyber legislation during the lame duck session, House Homeland Security Chairman Mike McCaul (R-TX) was quick to point out that “there is more work to be done” on cybersecurity. Specifically, all five bills stop short of supporting robust information sharing between intelligence agencies and the private sector, nor do they provide legal protections for companies that voluntarily share data on cyberthreat information, following failed attempts in Congress to offer such immunity.
Similarly, Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-DE) urged lawmakers not to rest on their laurels and expressed his commitment to moving cybersecurity forward. “I will make cybersecurity a top priority for the 114th Congress and continue to work with my colleagues on both sides of the aisle on a long-term solution to enhance our nation’s cybersecurity efforts.”