Cybersecurity Legislation: What's Next?

Analysis: FISMA Reform, Cyberthreat Information Sharing

By , September 13, 2013.
Cybersecurity Legislation: What's Next?

With Congress back in Washington after its summer recess, lawmakers' are focused on Syria, the federal budget and the debt limit. Cybersecurity is in its usual place, taking a backseat to other challenges.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

Still, cybersecurity awareness in Congress is at its zenith, thanks to the Edward Snowden and Bradley Manning leaks, highly publicized cyber-attacks and President Obama's issuance last February of an executive order to create a cybersecurity framework to protect the nation's critical infrastructure (see Obama Issues Cybersecurity Executive Order). And if there's not much rhetoric heard about cyberthreats from Capitol Hill, behind the scenes, congressional staffers are tweaking legislation aimed at safeguarding the federal government and the nation.

Pressure will be on Congress - especially the Senate - to act by year's end to avoid politicizing cybersecurity in 2014, an election year. For the most part, cybersecurity is a bipartisan issue. But some philosophical differences have prevented significant cybersecurity legislation from being enacted.

In the last Congress, Republican objections over regulating industry led Democrats to rewrite legislation to make IT security standards voluntary. That legislation died with the end of the 112th Congress. Still, some in the GOP even object to voluntary standards, concerned that they could coerce businesses to adopt them.

Giving the Department of Homeland Security sway in getting federal civilian agencies to comply with IT security standards met resistance in some quarters, helping thwart passage of comprehensive cybersecurity legislation.

Avoiding Past Pitfalls

The big question is: Can Congress avoid past pitfalls and find compromises that lead to the enactment of significant cybersecurity legislation? If not, it won't be for a lack of trying.

There's a slew of cybersecurity-related legislation winding its way through Congress or in the process of being drafted, including reforming the Federal Information Security Management Act, the 11-year-old law that governs federal government IT security; implementing processes to promote the sharing of cyberthreat information between government and industry and encouraging initiatives to develop new IT security technologies and processes and grow the IT security workforce.

The Republican-controlled House, with bipartisan support, earlier this year passed three major cybersecurity bills: the Federal Information Security Amendments Act, a FISMA reform measure that was unanimously approved in April (see FISMA Reform Passes House on 416-0 Vote); the Cyber Intelligence Sharing and Protection Act, a cyberthreat information sharing measure approved by a 288-127 vote (see House Handily Passes CISPA); and the Cybersecurity Enhancement Act, to promote cybersecurity research and development and explore ways to increase the pool of IT security practitioners in the United States.

No Rubberstamp

Despite overwhelming Democratic support for the approved House bills, the Democratic-controlled Senate isn't likely to rubberstamp the lower chamber's measures.

Take FISMA reform, for example. The House bill does not give DHS authority to oversee implementation of IT security processes at civilian government agencies, something that previous Senate legislation has championed and the Obama administration has put into practice through executive actions. Future Senate legislation could likely codify those executive actions, but not go as far as the Cybersecurity Act of 2012, which never came up for a vote last year. In that comprehensive bill, which incorporated FISMA reform and cyberthreat information sharing rules, Senate sponsors advocated the creation of a National Center for Cybersecurity Communications. Don't expect that type of bureaucracy is a new Senate bill.

Priorities change with leadership changes. In the last congress, the Senate Homeland Security and Governmental Affairs Committee was chaired by Joseph Lieberman, the Connecticut Independent who advocated stronger DHS leadership in enforcing cybersecurity standards among federal civilian agencies. He retired last year, and the committee is now headed by Tom Carper, the Delaware Democrat who has been Congress' biggest proponent of FISMA reform.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Obama Seeks to Nationalize Breach Notification

President Obama is proposing a national data breach notification law that would require businesses...

Latest Tweets and Mentions

ARTICLE Obama Seeks to Nationalize Breach Notification

President Obama is proposing a national data breach notification law that would require businesses...

The ISMG Network