Cyber legislationObama signs five cybersecurity measures into law

Published 23 December 2014

Last week President Barack Obama signed five cybersecurity-related pieces of legislation, including an update to the Federal Information Security Management Act(FISMA) — now called the Federal Information Security Modernization Act — the law which governs federal government IT security. Other cyber legislation the president signed includes the Homeland Security Workforce Assessment Act, the Cybersecurity Workforce Assessment Act, the National Cybersecurity Protection Act (NCPA), and the Cybersecurity Enhancement Act.

Last week President Barack Obama signed five cybersecurity-related pieces of legislation, including an update to the Federal Information Security Management Act (FISMA), the law which governs federal government IT security. The last time a significant cybersecurity legislation became law was in 2002, when George W. Bush signed the E-Government Act of 2002, which authorized FISMA.

FISMA, now the Federal Information Security Modernization Act, extends the Office of Management and Budget’s responsibility to determine IT security policies for federal agencies. It also grants DHS authority to administer the operational aspects of those policies among civilian agencies. The new FISMA eliminates the previous requirement that federal agencies must submit a checklist verifying that their IT systems and processes meet federal security standards and controls. GovInfoSecurity reports that now, agencies must continuously monitor their systems for vulnerabilities.

The Homeland Security Workforce Assessment Act, attached to the Border Patrol Agent Pay Reform Act, fills key cybersecurity positions at DHS at competitive pay rates, calls for a process to identify IT security skills the department needs to fill.

Slow and cumbersome hiring procedures have been a persistent challenge for DHS when competing for scarce cybersecurity talent,” says Diana Burley, a Georgetown University professor who studies government IT security employment. “This bill will reduce these barriers to entry and enhance DHS’s ability to compete with other agencies — most notably NSA and DoD - in hiring the limited number of cybersecurity professionals.”

Further to support DHS’s cyber initiatives, the Cybersecurity Workforce Assessment Act will require DHS to assess its cybersecurity workforce and develop a comprehensive strategy to enhance the readiness, capacity, training, recruitment and retention of its cybersecurity workforce.

The National Cybersecurity Protection Act (NCPA) will codify DHS’s current cybersecurity and communications operations at the National Cybersecurity and Communications Integrity Center (NCCIC). The bill instructs the NCCIC to share information about cybersecurity risks and incidents, provide technical assistance, risk management support, and incident response capabilities to federal and non-federal entities, specifically owners and operators of critical information systems. Under the NCPA, DHS must within 180 days of the law’s enactment, recommend to various congressional committees how to move forward with information-sharing agreements for cybersecurity purposes between the NCCIC and non-federal entities.

It is critical that the department continues to build strong relationships with business, state and local governments and other entities across the country so that we can all be better prepared to stop cyber-attacks and quickly address those intrusions that do occur,” said bill sponsor, Senator Tom Carper (D-Delaware).

Lastly, Obama signed the Cybersecurity Enhancement Act, authorizing the Commerce Department, through its National Institute of Standards and Technology (NIST) unit, further to facilitate and support the development of voluntary standards meant to reduce cyber-vulnerabilities to critical infrastructure. The agency released its first version of the Framework for Improving Critical Infrastructure Cybersecurity in February. The law also ordered the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan. Senator Jay Rockefeller (D-West Virginia), chairman of the Senate Commerce, Science and Transportation Committee, and sponsor of the bill, praised the passage last week. “For years, I have said that cyber-attacks pose one of the gravest threats to our national and economic security. Now, with the passage of the Commerce Committee’s cybersecurity legislation, protecting our information networks is a top priority for the federal government,” said Rockefeller. “NIST and our research agencies will have a leading role in this effort, and the authority to work closely with the private sector to identify and reduce cyber-risks.”