On December 18, 2014, President Obama signed into law five cybersecurity-related bills that address concerns recently brought to the forefront by highly publicized intrusions into public and private networks. The newly enacted legislation includes:
The National Cybersecurity Protection Act of 2014, which addresses cybersecurity-related information sharing between government entities and the private sector and is perhaps the most significant and operations-critical of the five bills. The Act allows the National Cybersecurity and Communications Integration Center ("NCCIC") to share cybersecurity information and analysis with the public and private sectors, to provide incident response and technical assistance to federal and nonfederal agencies alike, and to recommend security measures to enhance cybersecurity. The legislation provides that the NCCIC will, upon request, provide "timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cybersecurity risks and incidents, which may include attribution, mitigation, and remediation." Notably, the Act does not grant authority to promulgate rules or to set standards applicable to private entities relating to cybersecurity.
The Federal Information Security Modernization Act of 2014, which amends the prior version of the Act by reestablishing within the Office of Management and Budget ("OMB") oversight authority over federal agency information security practices and by centralizing cybersecurity operations management within the Department of Homeland Security ("DHS"). The Act also sets forth security program requirements applicable to federal agencies and, in one of the more heralded sections, directs OMB to "eliminate inefficient or wasteful reporting" that previously was required by OMB Circular A-130.
The Cybersecurity Workforce Assessment Act, which requires DHS to conduct an assessment "of the readiness and capacity of the workforce of the Department to meet its cybersecurity mission" every three years and to "develop a comprehensive workforce strategy to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce for enhancing the recruitment and training of cybersecurity employees."
The Cybersecurity Enhancement Act of 2014, which provides in Title I that the National Institutes of Standards and Technology will "facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure." In Title II, the Act requires that the Office of Science and Technology Policy "develop a Federal cybersecurity research and development plan to meet objectives in cybersecurity."
The Border Patrol Agent Pay Reform Act of 2014, which is aimed, among other things, at improving hiring procedures and compensation rates for cybersecurity positions at DHS. The Act requires DHS to pay cybersecurity personnel salaries comparable to those earned by employees in cybersecurity positions at the Department of Defense. The Act also requires DHS to file annual reports on hiring procedures and its recruitment, incentives, and retention of individuals qualified for cybersecurity positions.
None of these laws addresses some of the more contentious and partisan cybersecurity issues—namely, private-sector mandates, liability limitations to protect private-sector organizations that share cybersecurity-related information with the government, a federal breach notification scheme, etc. In combination, however, they represent the largest legislative package concerning cybersecurity that has been enacted into law in more than a decade and may foretell an increased willingness by government to tackle more troublesome issues in legislative sessions to come.
Nandini Iyer and Gabriel Ledeen, associates in the Silicon Valley and San Francisco Offices respectively, assisted in the preparation of this Alert.