Legislative Activity

Cybersecurity Legislation

Last week, the House Homeland Security Committee approved two cybersecurity bills by a voice vote – the Critical Infrastructure Research and Development Advancement Act of 2013 (H.R. 2952) and the Homeland Security Cybersecurity Boots-on-the-Ground Act (H.R. 3107). It is unclear how quickly these bills will be considered on the House floor, especially in light of the recent controversy surrounding the National Security Agency that has stalled most cybersecurity legislation that Congress is considering. In addition, the House Homeland Security Committee is planning to introduce another cybersecurity bill in the near future – the National Cybersecurity and Critical Infrastructure Protection of 2013 – but has not indicated how quickly this bill will be introduced after it has gone through several draft versions to incorporate stakeholder feedback.

Executive Branch Activity

NIST Cybersecurity Framework

Last week, President Barack Obama held a meeting with the chief executives of several large U.S. companies including defense contractors, financial institutions, energy suppliers and information technology companies. The meeting focused on the recently released draft Cybersecurity Framework from the National Institute of Standards and Technology (NIST) as part of the Executive Order (EO) released in February 2013. While the business leaders expressed their appreciation for NIST’s collaboration with industry to develop the Framework, they also expressed concerns about how the Obama Administration can encourage widespread adoption of the voluntary standards. Currently, the White House is considering the possible incentives that could be used to implement the Framework, including priority consideration for federal grants, cybersecurity insurance and liability protections. While the Obama Administration can enact some of these incentives on its own, many of the incentives that the U.S. Departments of Treasury, Homeland Security and Commerce recommended earlier this year will require Congressional action.

Stakeholders have until December 13 to submit their comments on the draft Cybersecurity Framework which will be incorporated in the final Framework due in February 2014 as outlined in the EO. NIST will hold a final workshop to discuss the draft Cybersecurity Framework on November 14-15 at North Carolina State University in Raleigh, North Carolina.

Defense Industrial Base Final Rule

Last week, the U.S. Department of Defense (DOD) published its final rule to implement its Voluntary Cyber Security and Information Assurance (CS/IA) Activities for Defense Industrial Base (DIB) companies. The DIB CS/IA program began as a pilot program that was designed to create a voluntary information sharing program between the federal government and DIB companies. After receiving comments on the interim final rule published in May 2012, DOD expanded this program given the previous success of the pilot program. The final rule will go into effect on November 21.