Cybersecurity Legislation May Need To Wait Until Next Year; NIST Issues Guidance on Cyber Threat Information Sharing and Independent Agencies Begin Ramping Up Cybersecurity Oversight

Legislative Activity

Cybersecurity Legislation

The lame duck session of Congress will officially begin on Wednesday and it is expected that Senate Democrats will seek to use the remainder of 2014 to complete any outstanding policy items before Republicans take over the Senate in 2015. Although many stakeholders are calling for the Senate to take up cybersecurity legislation in the lame duck session, it will be difficult with the short calendar to accomplish all that needs to be done before the end of the year. As such, we anticipate that enactment of cybersecurity legislation will again be a top issue for the 114^th Congress. Even with Republicans taking over the Senate, the key Congressional players engaged in cybersecurity-related initiatives in the 113^th Congress, with a few exceptions, will remain the same and will provide some continuity for the public and private sector participants who have been closely following the process.

We expect that the next Congress will pick up where the current Congress left off but will have to reintroduce and reconsider many of the bills that it passed this year but expect some changes in approach based on some of the new leadership in committees like Senate Homeland Security and Government Affairs Committees, along with the House & Senate Intelligence Committees.  We anticipate introduction of bills in the 114^th Congress similar to those we have seen in the past, such as those focusing on the need to strengthen the capabilities of the U.S. Department of Homeland Security (DHS) in the area of cyber—maintaining a civilian agency as a partner to the private sector. Others will include a focus on codifying the National Cybersecurity and Communications Integration Center (NCCIC), strengthening the hiring abilities of DHS to build and maintaining a cybersecurity workforce, increasing investments in cybersecurity research and development, and updating the Federal Information Security Modernization Act (FISMA).

Regulatory Activity

NIST Guide to Cyber Threat Information Sharing

At the end of October, the National Institute of Standards and Technology (NIST) released its draft Guide to Cyber Threat Information Sharing. This document is intended to provide guidance on improving the efficiency and effectiveness of defensive cyber operations and incident response activities through the improvement of information sharing. Additionally, the draft guide also looks at how to improve the planning, implementation and maintenance of information sharing programs. NIST plans to issue a final guidance document sometime next year. Comments are due on the draft guidance by Friday, November 28.

Cybersecurity Forum for Independent and Executive Agencies

In October, the Cybersecurity Forum for Independent and Executive Agencies convened its inaugural meeting of senior officials from DHS, the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), the Food and Drug Administration (FDA), U.S. Coast Guard, U.S. Department of Transportation (DOT), Federal Aviation Administration (FAA), Federal Energy Regulatory Commission (FERC), Nuclear Regulatory Commission (NRC), and Department of Treasury. The interagency group was formed to examine and share information about their regulatory approaches to cybersecurity. The focus of the first meeting was to discuss four concentration areas that the group plans to focus on moving forward including communication, lessons learned, sharing of best practices and exploring new approaches to cybersecurity. The Cybersecurity Forum for Independent and Executive Agencies will hold a second meeting during the first part of 2015.