Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Monday, May 24, 2010

Former acting cybersecurity czar provides legislative summary of bills in 111th Congress

Former acting cybersecurity czar Melissa Hathaway, who in early 2009 led the Obama administration's 60-day review of cybersecurity policy and who is now a senior advisor working at the Harvard Kennedy School's Belfer Center for Science and International Affairs, this month made public an overview of more than three dozen separate pieces of legislation pending in various statuses in both houses of Congress. The report provides brief highlights of the major cybersecurity implications of each of the bills, and identifies where each of them fits into one or more of seven categories of security functions:
  1. Organizational Responsibility
  2. Compliance and Accountability
  3. Data Accountability, Personal Data Privacy, Data Breach Handling and Identity Theft
  4. Cybersecurity Education, R&D and Grants
  5. Critical Electric-Power Infrastructure Protection and Vulnerability Analysis
  6. International Cooperation and Addressing Cybercrime
  7. Procurement, Acquisition, Supply Chain Integrity
Among the 41 pieces of legislation included in the review, Hathaway calls out nine in particular that bear watching, notably including the U.S. Information and Communications Enhancement Act sponsored by Sen. Tom Carper (S.921) and the Cybersecurity Act sponsored by Sens. Jay Rockefeller and Olympia Snowe (S.773), and bills in both the House and Senate on data breach notifications and data accountability. One of the most active recent House bills, the Federal Information Security Amendments Act (H.R.4900), is not one on the "legislation to watch" list, although it is included within the scope of Hathaway's review.

Hathaway concludes her report (really structured more as a briefing) with three recommendations that might be appropriately directed to Congress or the administration's cybersecurity coordinator for further action:
  • Need Congressional leadership to set the legislative priorities for cybersecurity
  • Need to clearly articulate the direction for cybersecurity private-public engagement and responsibilities
  • Need broad-based awareness and education campaign for the U.S. population and other like-minded nations
The third of these is an area being addressed in several of the draft bills under consideration, including the House Cybersecurity Enhancements Act legislation (H.R.4061), which among other provisions would direct additional funding to the National Science Foundation to pay for scholarships for students in exchange for two to three years of public service working in cybersecurity. The second recommendation is a general point of contention between government and industry and reflects an area that may or may not be explicitly resolved in whatever federal cybersecurity legislation actually gets enacted. The relevance of the first recommendation is amplified by the sheer volume of potential legislative actions under consideration; some agreement on priorities might facilitate the consolidation of some of these 40+ bills into a more manageable number that might also have a greater chance of passage. It seems there are enough competing priorities in Congress on numerous other fronts to constrain real progress on cybersecurity enhancements or reform, and this situation is only made worse with so many pieces of proposed legislation, many of which cover similar ground.

No comments:

Post a Comment