The Senate on Dec. 10 passed by unanimous consent a bill that codifies a round-the-clock cyber security watch center—the National Cybersecurity and Communications Center (NCCIC)—within the Department of Homeland Security (DHS).
In addition to authorizing the cyber operations center, the National Cybersecurity Protection Act of 2014 (S. 2519) specifies the activities of the NCCIC, including serving as the “federal civilian interface” for sharing the information security risks, incidents and warnings with federal and non-federal entities, providing shared situational awareness to federal and non-federal entities related to cyber risks and incidents, coordinating cyber security information sharing across the federal government, facilitating cross-sector sharing for cyber risks and incidents, analyzing cyber security risks and incidents and sharing the results with federal and non-federal entities, responding to requests from federal and non-federal entities regarding cyber threats, attribution and ways to mitigate threats, and making recommendations to these entities to bolster security and resilience.
The NCCIC is composed of representatives from across the federal government, including the civilian and law enforcement agencies and the intelligence community, as well as from state and local governments, and the private sector.
The bill was approved in June by the Senate Homeland Security and Governmental Affairs Committee and was introduced by the committee’s chairman and ranking member, Sen. Tom Carper (D-Del.) and Sen. Tom Coburn (R-Okla.), respectively. The legislation was previously called the National Security Communications and Integration Center Act of 2014.
“By codifying the Department of Homeland Security’s existing cyber security operations center, the National Cybersecurity Protection Act of 2014 bolsters our nation’s cyber security while providing the department with clear authority to more effectively carry out its mission and partner with private and public entities,” Carper said in a statement. “It is critical that the department continues to build strong relationships with businesses, state and local governments, and other entities across the country so that we can all be better prepared to stop cyber attacks and quickly address those intrusions that do occur.”
If the bill becomes law, it calls for DHS within six months to report to Congress with recommendations for expediting cyber security-related information sharing agreements between NCCIC and non-federal entities, which include state and local governments and the private sector, while addressing privacy and other protections.
The bill also calls for DHS to work with its various partners, federal and non-federal, to develop cyber incident response plans that can be exercised.
The relevant House and Senate committees worked together on the bill language, although it is far narrower in scope than a similar bill approved by the House in July. That bill, the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (H.R. 3696), in addition to authorizing the NCCIC and the information sharing provisions contained in the Senate bill, would streamline the DHS directorate responsible for cyber security and allow qualified cyber security technologies to be covered by the SAFETY Act, which provides limited liability protections from lawsuits.
Industry wants liability protections for cyber incidents if companies take appropriate precautions but so far Congress has yet to approve legislation granting these protections.
The House bill was offered by Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee. His bill also prohibits the creation of new federal regulatory stemming related to the legislation.
Separately on Dec. 10, the House passed by voice vote a bill that originated in the Senate to reform the pay system for the Border Patrol. The bill includes language from different legislation introduced by Carper aimed at strengthening DHS’ cyber workforce. The Border Patrol bill (S. 1691) would give DHS hiring and compensation authorities similar to what the Defense Department enjoys, allowing the department to hire cyber security experts just as quickly and with comparable salaries.
The Senate earlier in the week also passed a bill to modernize the way the federal government audits its information security practices, the FISMA Modernization Act.