Obama Signs 5 Cybersecurity BillsFirst Time in Dozen Years Major CyberSec Bills Become Law
Without ceremony, President Obama on Dec. 18 signed five cybersecurity-related bills, including legislation to update the Federal Information Security Management Act, the law that governs federal government IT security.
It's the first time in 12 years that significant cybersecurity legislation has become law. The last major piece of cybersecurity law to be passed by Congress and signed by a president was the E-Government Act of 2002, which included FISMA.
The five cybersecurity measures, among 48 bills the White House announced the president had signed, include the:
- Federal Information Security Modernization Act, which codifies the existing administration practice of having the Office of Management and Budget determine IT security policies for federal agencies. In addition, the law grants the Department of Homeland Security authority to carry out the operational aspects of those policies among civilian agencies (see FISMA Reform Heading to the White House).
- Homeland Security Workforce Assessment Act, a rider on the Border Patrol Agent Pay Reform Act, which identifies and fills key cybersecurity positions at DHS and provides competitive compensation. The statute also calls for a process to identify IT security skills the DHS needs to fill.
- Cybersecurity Workforce Assessment Act, which requires the DHS to assess its cybersecurity workforce and develop a comprehensive strategy to enhance the readiness, capacity, training, recruitment and retention of its cybersecurity workforce.
- National Cybersecurity Protection Act, which codifies the National Cybersecurity and Communications Integration Center, a 24x7 cyber situational awareness, incident response and management center that is a national nexus of cyber and communications integration for the federal government, intelligence community and law enforcement. The NCCIC shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, and mitigation and recovery actions.
- Cybersecurity Enhancement Act, which authorizes the Department of Commerce, through its National Institute of Standards and Technology unit, to facilitate and support the development of voluntary standards to reduce cyber-risks to critical infrastructure. The law also requires the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan (see Bill OK'd to Enhance NIST Cybersecurity Role).
The statute eliminates the 12-year-old requirement that agencies must submit a checklist showing their IT systems and processes comply with security standards and controls. Instead, under FISMA reform, agencies are required to continuously monitor their systems for vulnerabilities.
Sen. Tom Carper explains FISMA reform.
"Slow and cumbersome hiring procedures have been a persistent challenge for DHS when competing for scarce cybersecurity talent," says Diana Burley, a Georgetown University professor who studies government IT security employment. "This bill will reduce these barriers to entry and enhance DHS's ability to compete with other agencies - most notably NSA and DoD - in hiring the limited number of cybersecurity professionals."
"It is critical that the department continues to build strong relationships with business, state and local governments and other entities across the country so that we can all be better prepared to stop cyber-attacks and quickly address those intrusions that do occur," says bill sponsor, Sen. Tom Carper, D-Del.