Congress approved a package of four cybersecurity bills after a series of votes in the House and Senate this week, increasing the likelihood that some cybersecurity-related legislation will be enacted by the end of the year. None of the bills address some of the larger, more contentious cybersecurity issues, such as immunity for private companies that share cybersecurity threat information with the federal government. Instead, the bills focus on narrower cybersecurity issues and the structures and procedures of the federal agencies that oversee cybersecurity. Two of the measures, S. 2519 and S. 2521, are primarily focused on centralizing the federal government’s cybersecurity efforts and enhancing information sharing with the private sector, while the remaining bills, S. 1691 and H.R. 2592, are focused on strengthening the Department of Homeland Security’s cybersecurity workforce and recruitment efforts.
For the private sector, the most significant of the four bills is the National Cybersecurity Protection Act of 2014, S. 2519, which would codify the Department of Homeland Security’s existing National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC would provide a platform for the government and private sector to share information about cybersecurity threats, incident response, and technical assistance. The bill requires the Center to include representatives of federal agencies, state and local governments, and private sector owners and operators of critical information systems. However, the bill gives the Undersecretary of Homeland Security discretion about including governmental or private entities in the center’s operations.
The House also passed the Federal Information Security Modernization Act of 2014, S. 2521, which amends the 2002 Federal Information Security Management Act to centralize federal government cybersecurity management within the Department of Homeland Security. The bill maintains the Director of the Office of Management and Budget’s existing authority over federal civilian agency information security policies while delegating authority to the Homeland Security Secretary to implement these policies. The bill also delegates implementation authority for defense-related and intelligence-related information security to the Secretary of Defense and the Director of National Intelligence, respectively. The bill also codifies the OMB’s directive, issued this past October, that gives DHS authority to scan the networks of other federal civilian government agencies. Both S. 2521 and S. 2519 passed the Senate earlier in the week and now await the President’s signature.
In addition, the House passed two bills that focus on strengthening the federal government’s cybersecurity workforce. S. 1691, which includes provisions from the DHS Cybersecurity Workforce Recruitment and Retention Act, would improve hiring procedures and compensation ranges for cybersecurity positions at the Department of Homeland Security. Under the provisions of the bill, the Department of Homeland Security is required to pay cybersecurity workers similar to the salary that cybersecurity positions receive in the Defense Department. The bill also requires DHS to file annual reports on its recruitment and retention of cybersecurity workers. The House also passed H.R. 2952, the Cybersecurity Workforce Assessment Act, as amended by the Senate. The bill would require the Department of Homeland Security to conduct an assessment of its cybersecurity workforce every three years, in addition to developing a strategy for enhancing the recruitment and training of cybersecurity employees. Both bills previously passed the Senate and now await the President’s signature.