The Senate Homeland Security and Governmental Affairs Committee on Wednesday easily approved two information security bills, one to reform the current Federal Information Security Modernization Act and another that codifies existing key responsibilities of a cyber security operations center within the Department of Homeland Security (DHS).
“Our legislation would…free federal agencies from some dated and burdensome paperwork requirements while putting into place a more efficient and effective process for monitoring and addressing threats to federal networks in real-time,” Sen. Tom Carper (D-Del.), chairman of the committee, stated at the outset of the markup.
The Federal Information Security Modernization Act (FISMA) of 2014 (S. 2521), which passed unanimously by voice vote, would update the 2002 version of the bill. The updated bill would clarify that the White House Office of Management and Budget is responsible for FISMA and also “strengthens accountability” at the agency level by “enhancing the role” of federal agency chief information officers, said Sen. Tom Coburn (R-Okla.), the ranking member of the committee.
“We’re going to nail it right there and hold them accountable,” Coburn said. “It strengthens existing transparency and reporting requirements so we can actually know what’s going on and actually see it.”
The National Cybersecurity Communications and Integration Center (NCCIC) Act of 2014 (S. 2519), which also passed unanimously by voice vote, designates the cyber watch center as the federal information sharing portal for cyber security. Some of the key provisions in the bill include authorizing the NCCIC “to share cyber security information and analysis with the private sector, provide incident response and technical assistance to companies and federal agencies, and recommend security measures to enhance cyber security,” Carper said.
Carper also said that the NCCIC bill would require DHS to report annually on the operation of the center and direct the Government Accountability Office to study how effective the center is. He also said that the bill would help “the private sector and other stakeholders know what the department can and can not do under the law.”
The NCCIC is a round-the-clock centralized location that integrates and coordinates operational elements involved in cyber security and communications. The center is designed to improve the situational awareness of cyber and communications vulnerabilities, intrusions, incidents, mitigation and recovery actions. Its partners include federal departments and agencies, state, local, tribal and territorial governments, the private sector and international entities.
Carper said that even with the FISMA and NCCIC bills, more legislation is needed to “further clarify the Department of Homeland Security’s role in working with the private sector on cyber security matters,” including establishing “rules of the road for DHS in interacting with private critical infrastructure owners.” He also said that Homeland Security Act that created DHS needs to be updated to clarify who in DHS is responsible fro cyber security “and to continue to improve research and development on cyber security given the ever-evolving nature of this threat.”
At some point, legislation is also needed to codify the DHS’ intrusion detection and prevention program known as EINSTEIN, Carper said.
The Senate Intelligence Committee on Thursday had been expected to consider a separate piece of cyber security legislation but that markup has been postponed due to uncertainty whether enough members would be present ahead of the July 4 recess. Committee Chairman Sen. Diane Feinstein (D-Calif.) and ranking member Sen. Saxby Chambliss (R-Ga.) last Tuesday introduced the Cybersecurity Information Sharing Act, which would allow the federal government and companies to legally share information on cyber attacks and also provide liability protections to companies.