Legislative Branch Activity
Cybersecurity Legislation
Last week, the Senate Permanent Select Committee on Intelligence held a closed session to mark up the Cybersecurity Information Sharing Act (CISA) which was recently introduced by Chairman Dianne Feinstein (D-CA) and Ranking Member Saxby Chambliss (R-GA). The legislation provides a structure for the federal government and the private sector to share information regarding cyber threats. Additionally, it also provides liability protections for those companies that choose to share information with the federal government. While many industry groups have praised the bill, privacy advocates have expressed their strong concerns about the lack of adequate privacy protections included in the legislation.
The bill was passed by the Committee in a 12-3 vote and Chairman Feinstein and Ranking Member Chambliss noted that they were hopeful that the bill could be completed by the end of the year. If the bill is passed on the Senate floor, it will move to a conference with the House’s information sharing bill – the Cybersecurity Intelligence Sharing and Protection Act (H.R. 624) – which passed the House in April 2013.
The Senate Homeland Security and Governmental Affairs Committee also recently advanced two pieces of cybersecurity legislation – the Federal Information Security Modernization Act of 2014 (S. 2521) and the National Cybersecurity and Communications Integration Center (NCCIC) Act of 2014 (S. 2519). Both bills were passed by voice vote and now also await consideration on the Senate floor. S. 2521 would update the Federal Information Security Management Act (FISMA) of 2002 and S. 2519 would codify and outline the roles and responsibilities of the NCCIC within the Department of Homeland Security (DHS).
Upcoming Hearings
- Tuesday, July 15: The Senate Judiciary Subcommittee on Crime and Terrorism will hold a hearing titled “Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks.”
Executive Branch Activity
Department of Homeland Security Guidance
The U.S. Department of Homeland Security (DHS) is planning to release two documents this summer that will inform its cybersecurity work with critical infrastructure owners and operators. The first document released will be a list of top cybersecurity priorities for the federal government and critical infrastructure owners and operators which was part of the call to action included in the National Infrastructure Protection Plan (NIPP) issued last December. DHS collected comments through the end of last week on its proposed joint national priorities for the government and the private sector on cybersecurity, which the Department plans to review and incorporate into the priorities list. Additionally, DHS plans to release sector-based cybersecurity guidance this summer that will outline a general framework for critical infrastructure cybersecurity plans. DHS leaders have noted that this guidance will be less prescriptive than it has been in the past and will not mandate specific or identical actions that all 16 critical infrastructure sectors will be required to implement. Some critical infrastructure sectors, such as the financial services sector, are currently planning to do surveys of the cybersecurity practices in place in their industry to determine whether sector-specific guidance is necessary.
NIST Cybersecurity Framework for Cyber-Physical Systems
The National Institute of Standards and Technology (NIST) recently announced their intention to develop and implement a new Cybersecurity Framework for cyber-physical systems by summer 2015. NIST established a working group of stakeholders interested in cyber-physical systems, including representatives from industry, academia and government, to begin developing a road map that would identify opportunities for coordinated effort on key technical challenges facing these systems. The group plans to release the road map in early 2015 and aims to complete it by summer 2015. Additionally, the Cybersecurity Framework for cyber-physical systems that is to be released next summer would establish a uniform definition of these systems and seek to find ways to ensure that cybersecurity provisions are designed and built into the structure of all cyber-physical systems.