Legislative Branch Activity

Cybersecurity Legislation

In the continued wake of ongoing cybersecurity attacks against  Home Depot, Healthcare.gov, and Community Health Services, one of the country’s largest hospital chains, the debate continues over the need for Congress to move  cybersecurity and  data breach legislation.  In an op-ed posted in The Hill last week, U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson called on Congress to pass cybersecurity legislation that would codify the roles and responsibilities of the Department, enhance DHS’s ability to hire cybersecurity workers, and improve cybersecurity information sharing. While it is unlikely that there is time to pass legislation before the end of September, prospects remain for action before the end of the year. Last week, Senate Intelligence Committee Ranking Member Saxby Chambliss (R-GA) confirmed that his Committee’s information sharing legislation, the Cyber Information Sharing Act (CISA/S. 2588), will not be taken up by the Senate in September and also acknowledged that the calendar is a challenge overall.

Executive Branch Activity

NIST Cybersecurity Framework

In August, the National Institute of Standards and Technology (NIST) issued a Request for Information (RFI) on the implementation of the Cybersecurity Framework that was released in February. Comments on the RFI are due October 10 and will help set the agenda for the next NIST workshop on October 29-30 in Tampa, Florida. The RFI includes 22 questions about how industry is using the Cybersecurity Framework, how it can be improved, and what NIST’s roadmap should be for future efforts related to cybersecurity.

In addition, NIST will host its second privacy engineering workshop this week in San Jose, California. The workshop will be on Monday and Tuesday and will look at developing privacy requirements and translating policy into system design, according to NIST’s agenda. NIST is also collecting public comments on the privacy engineering concepts that will be discussed at the workshop and plans to issue a draft NIST Interagency Report (NISTIR) on privacy engineering in 2015.

Executive Branch Action

In the meantime, the Obama Administration recently announced that it will be looking at all of the ways that it can help to improve information sharing and reduce burdensome regulations related to cybersecurity in an effort to help the federal government and the private sector protect itself against cyber attacks. White House Cybersecurity Coordinator Michael Daniel used the recent Federal Trade Commission and Department of Justice antitrust policy statement on cybersecurity information sharing as a model for the types of actions that the executive branch plans to take in light of the legislative stalemate on legislation. Additionally, the Administration announced it is planning to review the cybersecurity regulations that are “excessively burdensome, conflicting, or ineffective” through collaboration with industry partners. The White House plans to issue a report by February 2016 that would look at various incentives, including streamlined regulations, which could be used to promote industry adoption of the NIST Cybersecurity Framework.

DHS Data Privacy and Integrity Advisory Committee

On September 22, the DHS Data Privacy and Integrity Advisory Committee will host a public meeting to discuss big data and cybersecurity, as well as receive an update from the Department’s Chief Privacy Officer Karen Neuman. The Advisory Committee is made up of privacy experts from the private sector and provides advice on programmatic, policy, operational, administrative, and technological issues within the DHS that relate to personally identifiable information, as well as data integrity and other privacy-related matters. At the meeting, the Committee will receive a briefing on the implementation of the DHS Data Framework and discuss drafting best practices for DHS’s use of big data.