Senate Defense Bill Veils Cyber ProvisionsN'tl Defense Authorization Act Seen as Rapid Path to Infosec Reform
Though S. 3454 is tailored for the Defense Department, unlike its House counterpart that contains IT security provisions aimed at the entire government, the Senate version could serve as a vehicle to reform governmentwide IT security governance when the Senate and House versions of National Defense Authorization Act are reconciled in a conference committee. Many of the IT security provisions in the Senate bill parallel those found in other cybersecurity measures.
Among the similar proposals are requirements to continuously monitor IT systems for vulnerabilities and threats, develop processes to assure the safety of computer software and reduce supply chain risk.
What is in the Senate version of defense authorization related to cybersecurity? Among key provisions:
- Automation of continuous monitoring of the effectiveness of the information security policies, procedures and practices within DoD's information infrastructure;
- Strategy to assure the security of software and software-based applications;
- Mechanisms to monitor systems and applications to detect and defeat attempts to penetrate or disable IT systems and applications;
- Strategy in the risk management regarding the supply chain and in operational planning for cybersecurity; and
- Strategy to rapidly acquire tools, applications and other capabilities for cyber warfare for the United States Cyber Command.
The Senate defense authorization bill does not include - but the House one does - provisions to establish a Senate-confirmed director of a newly created National Office of Cyberspace in the White House, form a Federal Cybersecurity Practice Board responsible for developing and updating information security policies and procedures and creation of an Office of the Chief Technology Officer within the White House to work collaboratively across the government and private sector to analyze and improve the use of information technology. Those provisions originally were an amalgam of two bills - the Federal Information Security Amendments Act and the Executive Cyberspace Authorities Act - that became a rider to the defense authorization act the House adopted in late May, making that measure a major federal cybersecurity reform bill.
Senate Majority Leader Harry Reid and the chairs of six Senate panels with information security legislation before them - including Carl Levin, who as chairman of the Senate Armed Services Committee is the defense authorization bill's chief sponsor - have indicated that they would like to create an omnibus cybersecurity bill for the entire chamber to consider.
If that route is pursued, enactment of comprehensive cybersecurity legislation could become more of a challenge because that would require the House to reconsider IT security legislation as a separate bill. With an election approaching, most House members will be focused on getting reelected and not necessarily legislating new cybersecurity policies and processes.
Should the Senate enact the cybersecurity terms that exist in its defense authorization bill, a Senate-House conference committee could accept the House provisions for a more comprehensive cybersecurity law. But the ability to introduce new areas such as the establishment of a cybersecurity operational center overseen by the Department of Homeland Security - which appears in the Lieberman-Collins-Carper bill - would likely not be allowed.
"For the most part, the ability to bring matters not addressed in either bill is very limited," said Tara Andringa, Levin's press secretary. "If a matter is only addressed in one bill, it can be preserved or modified as long as the modification relates to the same subject even though it deals with the subject in a different way."
That procedure could but not necessarily be interpreted by lawmakers to allow more detailed provisions found in other cybersecurity bills to becoming part of a conference report on the National Defense Authorization Act.
Despite the rules and procedures, Congress can do what it wants regarding legislating provided there are sufficient votes in both houses.