House Committee to Introduce Cybersecurity Legislation; Executive Order Deadlines on Cybersecurity; FDA Issues Draft Guidance

Legislative Branch Activity

Cybersecurity Legislation

The House Homeland Security Committee will introduce a new piece of cybersecurity legislation that would codify the cyber roles and responsibilities of the Department of Homeland Security (DHS), as well as address other key aspects of cybersecurity. The committee has been working with stakeholders for several weeks on its draft legislation and will likely move quickly to mark up the bill once it is introduced. The Senate continues to hold discussions with stakeholders and is expected to begin its cybersecurity legislative efforts in the coming weeks.

Executive Branch Activity

Executive Order Deadlines

Last Wednesday, June 12, marked the first set of deadlines that were included in the President’s Executive Order (EO) on cybersecurity. The EO required several actions to be completed by June 12, including requirements for the Secretaries of Homeland Security, Commerce and Treasury to make recommendations on what incentives would be needed to promote participation in the Voluntary Critical Infrastructure Cybersecurity Program. Acting Deputy Secretary of DHS Rand Beers noted during a hearing last week that these recommendations will be accessible to Congress and the public once they are finalized by the Office of Management and Budget (OMB).

As part of the EO, the Secretary of Homeland Security was also required to establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors although DHS has said that only 54 companies have expressed interest in the program so far. Also due to the President last week were recommendations by the Secretary of Defense and Administrator of General Services on the feasibility, security benefits and relative merits of incorporating security standards into acquisition planning and contract administration. The next deadline in the EO is July 12, when the Secretary of Homeland Security is required to identify the critical infrastructure sectors where a cybersecurity incident “could reasonably result in catastrophic regional or national effects on public health or safety, economic security or national security.”

Medical Device Cybersecurity

The Food and Drug Administration (FDA) issued draft guidance last week that recommended medical device manufacturers review their cybersecurity practices and policies to ensure that the appropriate security measures are in place. FDA is working with other federal agencies, such as DHS, to identify potential cybersecurity vulnerabilities and identify best practices for communicating and mitigating the cyber risks that exist for medical devices. FDA is expected to finalize the guidance later this year.