Legislative Branch Activity

Cybersecurity Legislation

On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will mark up two pieces of cybersecurity legislation that have not yet been formally introduced. The first is the Federal Information Security Modernization Act of 2014 which would update the Federal Information Security Management Act (FISMA) of 2002. The second bill is the National Cybersecurity and Communications Integration Center (NCCIC) Act of 2014 which would codify and outline the roles and responsibilities of the NCCIC within the Department of Homeland Security (DHS).

In addition, the Senate Intelligence Committee is also expected to hold a closed session this week to mark up the Cybersecurity Information Sharing Act (CISA) which was introduced last week by Chairman Dianne Feinstein (D-CA) and Ranking Member Saxby Chambliss (R-GA). The bill provides a structure for the federal government and the private sector to share information regarding cyber threats and also provides liability protections for those companies that choose to share information with the federal government. House Intelligence Committee leaders praised the bill last week, noting that they hope the Senate will pass CISA so that it can be conferenced with the cybersecurity information sharing bill the House passed in April 2013 –  the Cybersecurity Intelligence Sharing and Protection Act (H.R. 624).

Upcoming Hearings

  • Wednesday, June 25: The Senate Homeland Security and Governmental Affairs Committee will mark up two bills related to cybersecurity – the Federal Information Security Modernization Act of 2014 and the National Cybersecurity and Communications Integration Center Act of 2014. Neither of these bills has been officially introduced at this time.
  • Wednesday, June 25: The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies and the House Education and the Workforce Subcommittee on Early Childhood, Elementary and Secondary Education will hold a joint hearing titled “How Data Mining Threatens Student Privacy.”

Executive Branch Activity

United States Computer Emergency Readiness Team

The U.S. Computer Emergency Readiness Team (US-CERT) is planning to issue new White House guidance before October 1 that will update the current federal system for reporting cybersecurity incidents. The changes are expected to include updated categories for federal agencies to use when reporting a cyber attack and will also allow agencies to classify the attack to note the severity of the impact on agency functionality, agency-held information, and agency recovery efforts. Along with the US-CERT guidance, the White House is also expected to release a memo that would eliminate the requirement for agencies to report to US-CERT within an hour of any incident involving the loss of personally identifiable information. This requirement has been difficult for agencies to meet in the past and often requires agencies to report an attack prematurely before they have all of the appropriate information.

FCC CSRIC Industry Working Group

Last Wednesday, a communications industry working group focused on cybersecurity briefed the Federal Communications Commission’s (FCC) Communications, Security, Reliability and Interoperability Council (CSRIC) on the group’s progress on drafting recommendations to improve the communications sector’s cybersecurity posture. The working group first convened last month and will meet again on July 28 to discuss the recommendations that will be submitted to the FCC early next year. Currently, the group is looking at how to apply the National Institute of Standards and Technology’s Cybersecurity Framework to the communications sector and plans to provide guidance on how the sector can incorporate the Framework into existing risk management processes.