After passing several cyber security bills this week, the House and Senate Thursday night each passed another piece of cyber legislation aimed at improving cooperation between the federal government and industry, strengthening the cyber workforce within government and creating a federal technology development plan for information security.
The Cybersecurity Act of 2013 (S. 1353) amends the existing National Institute of Standards and Technology Act to allow the Commerce Secretary to facilitate the development of voluntary, industry-led standards and practices to reduce cyber risks to critical infrastructure.
“NIST and our research agencies will have a leading role in this effort, and the authority to work closely with the private sector to identify and reduce cyber risks,” Sen. Jay Rockefeller (D-W. Va.), chairman of the Senate Commerce, Science and Transportation Committee, said in a statement on Friday.
Sen. John Thune (R-S.D.), ranking member on the committee, said the “bill will ensure a voluntary partnership between the government and private sector to protect the computer systems Americans rely on every day.”
The legislation essentially codifies work that NIST has been overseeing for nearly two years now in developing the Cybersecurity Framework, which is a set of voluntary cyber security best practices and standards that was crafted with industry involvement and can be used by the private sector to bolster their network security posture. Creation of the framework was done at the behest of President Barack Obama, who issued an executive order in Feb. 2012 after Congress failed to pass any cyber security legislation.
The new legislation, which along with the other cyber bills passed this week, head to Obama for his signature. The bill also prohibits NIST from telling industry what security solutions, products or services to use and how these solutions should be designed or manufactured.
The bill also directs the White House Office of Science and Technology Policy to develop a research and development plan for the federal government to meet cyber security objectives. The plan, which must be updated every three years, must also address individual privacy guarantees, how to verify third-party software and hardware, insider threats, determine the origin of messages transmitted over the Internet, and cloud and wireless device security.
The National Science Foundation (NSF) is also directed to support cyber security research and review cyber security test beds, and if necessary, to award grants to universities and non-profit research organizations to establish additional test beds.
The bill also directs the NSF and the Departments of Commerce and Homeland Security to support ways to bring cyber talent into federal, state, local and tribal governments.
NIST is also directed to continue national outreach efforts to promote cyber security awareness.
Other cyber-related bills approved by Congress this week are aimed at improving information between the federal and private sector and within government, bolster DHS’ cyber security workforce, and update the existing Federal Information Security Modernization Act (FISMA) to increase accountability within departments and charge the White House with oversight if FISMA.