Privacy & Information Security Law Blog

In a flurry of activity on cybersecurity in the waning days of the 113th Congress, Congress unexpectedly approved, largely without debate and by voice vote, four cybersecurity bills that: (1) clarify the role of the Department of Homeland Security (“DHS”) in private-sector information sharing, (2) codify the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework, (3) reform oversight of federal information systems, and (4) enhance the cybersecurity workforce. The President is expected to sign all four bills. The approved legislation is somewhat limited as it largely codifies agency activity already underway. With many observers expecting little legislative activity on cybersecurity before the end of the year, however, that Congress has passed and sent major cybersecurity legislation to the White House for the first time in 12 years may signal Congress’ intent to address systems protection issues more thoroughly in the next Congress.

On December 11, the House passed Senate legislation codifying DHS’s National Cybersecurity and Communications Integration Center (“NCCIC”) making it the central hub for public-private information sharing. That bill, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (“NCCIPA”), is the Senate version of similar legislation passed by the House this past summer. The NCCIPA now heading to the President is a pared-down version of the original House bill, leaving out a number of industry-desired provisions that would have eased cybersecurity information sharing with the NCCIC. Notably, industry has been calling for legal protections for companies engaged in sharing information with the government. Nevertheless, the version of the bill headed to the President lacks an extensive legal safe harbor for information-sharing. As well, this version of NCCIPA lacks language from the original House bill that explicitly gave SAFETY Act protections to cybersecurity products. Thus, while passage of NCCIPA is an important and largely unexpected step forward on cybersecurity policy, liability concerns will continue to hamper cybersecurity information sharing.

Later in the evening on December 11, the House and Senate passed the Cybersecurity Enhancement Act of 2014, which authorizes NIST to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure. The bill essentially codifies the ongoing process begun earlier this year through which the NIST Cybersecurity Framework was developed. That process remains voluntary under the bill, with no new regulatory authority added to the Framework. The bill also authorizes the federal government to support research, raise public awareness of cyber risks, and improve the nation's cybersecurity workforce.

Earlier in the week, on December 8, the Senate passed by voice vote and without debate the Federal Information Security Modernization Act of 2014, which overhauls the 12 year-old Federal Information Security Management Act (“FISMA”). This legislation replaces FISMA’s current requirement that agencies must file annual checklists that show the steps they have taken to secure their IT systems, and puts the Department of Homeland Security (“DHS”) in charge of “compiling and analyzing data on agency information security” and helping agencies install tools “to continuously diagnose and mitigate against cyber threats and vulnerabilities, with or without reimbursement.” DHS has been increasingly performing this role already and similar legislation passed the House of Representatives in April 2013. That bill, however, was subject to jurisdictional disagreements between the House Homeland Security and Oversight and Government Reform Committees. Surprisingly, Oversight and Government Reform Chairman Rep. Darrell Issa (R-CA) dropped objections to the Senate’s FISMA reform bill and the House passed it on Wednesday evening by voice vote. The House also passed the Senate’s Homeland Security Cybersecurity Workforce Assessment Act as a rider to the Border Patrol Agent Pay Reform Act.

This spate of cybersecurity legislation is more limited in scope than the measures that have been sought by the private sector. Indeed, rather than provide new cybersecurity tools, the bills approved by Congress largely make pre-existing actions official. Still, with the 113th Congress effectively ending this week, passage of any cybersecurity bills is very surprising. Legislative activity on cybersecurity this week indicates a seriousness by policymakers to confront issues vital to information systems protection. In its waning days, the Senate may be attempting to set its mark on future cybersecurity policy. For its part, the House’s sudden action on Senate cybersecurity bills may point to a willingness by House committees to overcome internal jurisdictional disagreements that have hampered similar legislation in the past. The significance here is the recognition by Congress that legislative success now builds momentum for systems-protection policies in the next Congress, such as information-sharing liability protection or data breach legislation. How the 114th Congress confronts those issues is important to businesses seeking to enter public-private partnerships and information-sharing agreements.