One of the few things the parties in Congress can agree upon these days is cybersecurity – at least when it comes to directing the federal government’s cyber activities. In its final days, the 113th Congress reached agreement on several major pieces of legislation intended to improve the nation’s cybersecurity: theNational Cybersecurity Protection Act of 2014, the Federal Information Security Modernization Act of 2014, the Border Patrol Agent Pay Reform Act of 2014 (a bill that contains provisions from the Department of Homeland Security (DHS)Cybersecurity Workforce Recruitment and Retention Act of 2014), the Cybersecurity Workforce Assessment Act, and the Cybersecurity Enhancement Act of 2014. All of these were signed by the President on December 18th, and will be funded by a $1.1 trillion spending package signed by him on December 16th. In total, the bills update the federal government’s roles and responsibilities with respect to planning for and responding to cyber threats, helping them move into the 21st century with a trained workforce. What is notably absent in this nicely wrapped package of bills, however, is any meaningful reforms for the private sector.
Subsequent posts will provide details of each piece of legislation, but some key highlights include:
NIST’s role in cybersecurity is confirmed
The Cybersecurity Enhancement Act of 2014 formalizes the role of the National Institute for Standards and Technology (NIST) in continuing to develop the voluntary Cybersecurity Framework. Through five “titles,” the bill includes provisions to promote cybersecurity research, private/public sector collaboration on cybersecurity, education and awareness and technical standards, which includes a federal cloud computing strategy.
Beyond checklists and binders: moving toward a comprehensive, risk based framework
The Federal Information Security Modernization Act of 2014 (FISMA) is a comprehensive bill intended to bring federal agency information security practices into the new millennium – to better respond to evolving cybersecurity threats. FISMA updates the Federal Information Security Management Act of 2002, and provides a comprehensive framework for ensuring the effectiveness of information security controls over federal information operations and assets. It recognizes the highly networked nature of current federal computing environments and the complex task of coordinating information security efforts throughout the civilian, law enforcement and national security communities. Perhaps one of the most talked about aspects of this bill is the elimination of “inefficient and wasteful reports.” It has been reported that federal agencies spend significant time and money on programmatic reports that meticulously document cybersecurity controls in volumes of binders, but did little to address real-time threats.
DHS gets a little R-E-S-P-E-C-T
Although the Department of Homeland Security (DHS) has often been tasked with the responsibility of implementing cybersecurity, the agency had little authority to actually do so. FISMA rests operational responsibility for federal agency information security with the DHS, while the National Cybersecurity Protection Act of 2014 provides the agency “with clear authority to more effectively carry out its mission and partner with private and public entities.” The bill codifies the existing cybersecurity and communications operations center at DHS, known as the National Cybersecurity and Communications Integrity Center (NCCIC) and directs the agency, in coordination with various other stakeholders, to develop and regularly update, maintain and test cyber incident response plans to address cybersecurity risks to critical infrastructure.
Because these responsibilities and operations will require staffing, two bills were passed that contemplate staffing now, as well as in the future. The Cybersecurity Workforce Recruitment and Retention Act of 2014 allows DHS to establish cybersecurity positions within the agency to better meet its cybersecurity mission, while the Cybersecurity Workforce Assessment Act requires DHS to evaluate the readiness and capacity of the DHS workforce to meet its cybersecurity mission and assess the viability of a Cybersecurity Fellowship Program that would invest in training the next generation of the government’s cybersecurity workforce.
A federal breach notification law – for government use only
Beyond codifying the NCCIC, the NCPA also creates a data breach notification law that is similar to the 47 state data breach notification statutes and requires federal agencies to notify individuals affected by a data breach.
2015: The Year of Cybersecurity for the Private Sector?
The passage of legislation supporting the development of federal agency cybersecurity infrastructure and the enhancement of processes, combined with funding to support the efforts, indicates substantial momentum for national cybersecurity efforts. But bipartisan agreement only made it so far. Despite continuing “mega breaches” and the escalating ramifications[CM3] , meaningful private sector reforms were just a bridge too far. Several bills that were aimed to set national data security and breach notification standards, as well as public-private sector information sharing were introduced in the 113th Congress, but none survived. In the data breach standards and notification context, there was general consensus on the concept of a federal standard, but concerns over preemption and disagreement on the finer points of timing and the content of the breach notices ultimately prevented passage. Similarly, despite support from the U.S. Chamber of Commerce and the backing of both Democrat and Republican Sponsors, the Cybersecurity Information Sharing Act (CISA) of 2014 could not overcome privacy advocates’ fears that the legislation would enable excessive sharing of Americans’ private information with the government. However, CISA’s counterpart, the Cyber Information Sharing and Protection Act, passed the Republican House in 2013, leading some to speculate that a GOP controlled Congress makes it more likely information-sharing legislation will pass in 2015.
So while 2014 may be remembered as the Year of the Mega Data Breach, implementation of the 2014 cyber legislation combined with the potential for more legislation in the new Congress, perhaps 2015 will become the Year of Cybersecurity.