Everyday, cyberthreats are growing in number and sophistication. As each new exploit is exposed, it leads one to wonder what else is vulnerable in the federal government’s vast network architecture. And with limited resources and trained personnel, it is increasingly difficult for government to keep up with the advanced capabilities of cyber adversaries.
In response, President Obama recently went as far as to call such threats a “national emergency,” and issued an executive order authorizing new abilities to sanction malicious cyber actors.
But it’s not just the Executive branch that should be concerned about cybersecurity. It’s a government-wide concern, so what is Congress doing about it? Actually, a decent amount.
Below is a list and brief descriptions of recent cybersecurity-related legislation.
National Defense Authorization Act (2015)
This Act is over 1,000 pages, but what’s relevant for this post is Section 1637,“Actions to Address Economic or Industrial Espionage in Cyberspace.” This gave Obama legislative authority for his recent executive order mentioned above.
FISMA was signed into law as part of the E-Government Act of 2002 and updated in 2014. Intended to improve information security within the federal government and its affiliated organizations, FISMA requires each agency to “develop, document, and implement” information security risk management standards. It also encourages agencies to use automated security tools to continuously diagnose and mitigate security vulnerabilities. Federal agencies are rated annually based on results of the FISMA audit process.
National Cybersecurity Protection Act (2014)
This bill amended the Homeland Security Act of 2002 to officially authorize the already-existing National Cybersecurity and Communications Integration Center (NCIC) in the Department of Homeland Security (DHS). It codifies the activities of the center and further strengthens DHS’s ability to coordinate incident response and provide technical assistance to agencies. It also authorizes the center to act as a critical interface for sharing cybersecurity information among federal civilian agencies and key stakeholders
Cybersecurity Enhancement Act (2014)
Through public-private collaboration, this bill facilitates and supports the development of a voluntary, consensus-based, industry-led set of standards and procedures to cost-effectively reduce cyber risks to critical infrastructure. The bill also aims to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness. The National Institute of Standards and Technology (NIST) will assist agencies in the development of technical standards.
Border Patrol Agent Pay Reform Act (2014)
This is seemingly unrelated, but the Act included provisions that would speed DHS’s hiring of cybersecurity professionals and allow DHS to pay them more.
Cybersecurity Workforce Assessment Act (2014)
This act directs the Secretary of Homeland Security to conduct an assessment of the cybersecurity workforce of DHS, which will include information on: the readiness and capacity of such workforce to meet its cybersecurity mission; where cybersecurity workforce positions are located within DHS; which such positions are performed by permanent full-time equivalent DHS employees, by independent contractors, and by individuals employed by other federal agencies; which such positions are vacant; among other things.
Currently, Congress is also considering two bills surrounding cybersecurity information sharing – the Cyber Intelligence Sharing and Protection Act (CISPA) and the Cybersecurity Information Security Act (CISA) – as well as a bill concerning cyber workforce recruitment and retention at DHS.
For a legislative body currently known for its exceptional levels of gridlock, there has been a significant amount of bipartisan support around cybersecurity.