Long-awaited legislation passed by Congress last week will help bring federal information security into the 21st century. Among the five bills awaiting President Barack Obama’s signature is legislation to update the 12-year-old Federal Information Security Management Act, which many have criticized for fostering a check-the-box approach to cybersecurity rather than a continuous evaluation of security practices and effectiveness.
The Federal Information Security Modernization Act of 2014 won’t do away with annual security reports to Congress but does require agencies to use automated tools to periodically test and evaluate whether their information security policies are effective. The frequency of those tests will be determined using a risk-based approach to security.
The bill also codifies the Department of Homeland Security’s role in overseeing the implementation of security policies and practices for information systems owned and operated by civilian agencies, not defense and intelligence agencies; the defense secretary and the director of the national intelligence agency will oversee those systems.
Under the new bill, agencies’ annual security reports to Congress must include a description of “each major information security incident that involved a breach of personally identifiable information,” including how many people were impacted and what information was compromised, as well as an assessment of agency compliance with breach notification policies.
“Updating the law for federal information security will ensure that agencies are accountable to Congress and the public for data breaches,” said Sen. Tom Coburn, after Congress approved the bill.
President Obama is expected to sign the legislation and four other cyber bills into law, according to The Hill. The bills, however, stop short of supporting robust information sharing between intelligence agencies and the private sector. They also do not provide legal protections for companies that voluntarily share data cyberthreat information, following failed attempts in Congress to offer such immunity.
Lawmakers are calling the bills the first in a series of steps to improve the nation’s cyberdefenses but argue that more must be done. Outgoing House Intelligence Chairman Mike Rogers told The Hill that the bills are “not going to get at our ability to stop bad guys from doing bad things.”
Sen. Tom Carper, chairman of the Senate Committee on Homeland Security and Governmental Affairs, agreed. “While our work in this area is far from finished, these bills are an important step in our effort to modernize our nation’s cybersecurity programs and help the public and private sectors work together to tackle cyber threats more effectively in the future,” Carper said in a statement.
The hope is that the next Congress will build on the progress that has been made.
Bills to Improve Cyber R&D, DHS Workforce
Other cybersecurity bills approved by Congress and awaiting the president’s signature include legislation that creates a process for the National Institute of Standards and Technology to facilitate industry-driven standards for critical infrastructure that will be “non-regulatory, non-prescriptive and technology neutral,” according to a news release on the bill. The Cybersecurity Enhancement Act will also strengthen the government’s cyber research and development programs by building on existing programs.
The National Cybersecurity Protection Act codifies the authorities of the DHS National Cybersecurity and Communications Integration Center, including the center’s roll in sharing cyber data and analysis with industry.
Congress also passed legislation to ensure that the DHS has a comprehensive strategy for building its cybersecurity workforce. The Cybersecurity Workforce Assessment Act sets timelines for the DHS secretary to assess the readiness and capacity of the department’s cyber workforce to meet its mission; the positions that are vacant or filled, and by whom; and a 10-year projection of the department’s cybersecurity workforce needs and plans to recruit veterans, experienced professionals, the unemployed and those from underserved communities.
The Border Patrol Agent Pay Reform Act includes a provision to help DHS recruit and retain cybersecurity professionals. Specifically, the bill empowers the DHS secretary to increase basic pay and offer additional compensation, including benefits, incentives and allowances to fill critical cybersecurity positions.
Sen. Carper urged lawmakers not to rest on their laurels and expressed his commitment to moving cybersecurity forward. “I will make cybersecurity a top priority for the 114th Congress and continue to work with my colleagues on both sides of the aisle on a long-term solution to enhance our nation’s cybersecurity efforts,” he said.