On March 7, 2018, the U.S. Senate’s Homeland Security and Governmental Affairs Committee approved a bill (SB 2825) reauthorizing the Homeland Security Act of 2002 and including key cybersecurity provisions affecting the Department of Homeland Security (DHS). The bill is considered a critical piece of legislation that many expect will need to pass before the Congressional recess in August 2018. It already passed the U.S. House of Representatives in July 2017, and will now be considered by the full Senate.
SB 2825 requires that DHS routinely conduct cyber-risk assessments and issue risk reports to Congress. Further, the bill redesignates the cybersecurity agency within the DHS as the Cybersecurity and Infrastructure Security Agency to replace the DHS’s current National Protection and Programs Directorate. SB 2825 also clarifies liability protections for cyber-risk mitigation through DHS’s implementation of the SAFETY Act (“Support Anti-Terrorism by Fostering Effective Technologies Act of 2002.”) to incentivize more cybersecurity training activities. Under SB 2825, the DHS would need to significantly bolster its cyber workforce, as well as efforts to advance cybersecurity in several sectors, including the maritime, energy, nuclear and aviation sectors. SB 2825 also adds “enhance cybersecurity” to the list of allowable uses of significant grant funds –$600 Million authorized each year from 2018 to 2022 for the State Homeland Security Grant Program.
Following the vote, two House Subcommittees — the House Oversight and Management Efficiency Subcommittee & Cybersecurity and Infrastructure Protection Subcommittee — held a joint hearing to address the need for DHS to step up efforts to strengthen its cybersecurity workforce and identify critical cybersecurity needs and skill gaps. DHS’s efforts in this regard have been roundly criticized, particularly in a Government Accountability Office report issued in February 2018 and in heated testimony at today’s hearing by Representative Tom Garrett (R-Va.).