Three senior senators today finally introduced the long-awaited comprehensive cybersecurity bill.
The three-year effort, now known as the Cybersecurity Act of 2012 (S. 2105) is an attempt to secure federal systems by updating the Federal Information Security Management Act (FISMA) and expanding the role of the Homeland Security Department in securing critical infrastructure, such as the power grid, water systems and other sectors that are vital to the nation.
All of these efforts signal one of the strongest pushes by both Congress and the administration to address cyber vulnerabilities in the government and in the private sector in the last three years.
“Consider the warning signs, hackers now seem to be able to routinely crack the codes of our government agencies, including the most sensitive ones,” said Sen. Jay Rockefeller (D-W.Va.) in a floor statement introducing the bill Tuesday. “Our Fortune 500 companies, they do routinely, and then everything in between. Adm. Mike Mullen, former Joint Chiefs chairman, said the cybersecurity threat is the only other threat that is on the same level as Russia’s stockpile of nuclear weapons. Loose nukes, if you will. FBI Director Robert Mueller testified to Congress very recently that the cyber threat will soon overcome terrorism as the top national security focus of the FBI.”
The Senate bill, which also is sponsored by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), is part of an evolutionary process that has been vetted wide and far, said a Senate staff member during a press briefing on the bill Tuesday.
“The chair and ranking member of the Committee on Homeland Security and Governmental Affairs have recently introduced their latest legislative proposal, which as drafted, does not satisfy our substantial concerns,” the lawmakers wrote. “If we are serious about enacting effective legislation into law, we must provide all members of the Senate an opportunity to become adequately informed by regular order. This is not the kind of legislation that can result in a carefully balanced solution unless the full process is afforded.”
Sens. Kay Bailey Hutchison (R-Texas), John McCain (R-Ariz.), Chuck Grassley (R-Iowa), Saxby Chambliss (R-Ga.), Lisa Murkowski (R-Alaska), Jeff Sessions (R-Ala.) and Mike Enzi (R-Wyo.) want more hearings with the jurisdictional committees so the members can learn about the bill.
But other Senate staff members said they’ve conducted more than 150 meetings over the last three years with lawmakers, companies, industry associations, agencies, cybersecurity, privacy and civil liberties experts and many others and those conversations have led to several significant changes.
In the final version, senators stripped out the Senate-confirmed White House cyber policy director and office. A staff member said there wasn’t a lot of support for it and it wasn’t worth the holding up the bill for it.
The bill also clarifies language in the FISMA section detailing the actions agencies can take if a vendor’s system holding government data is under cyber attack or considered vulnerable.
The bill now defines any lawful action as one to “require the remediation of or protect against identified information security risks with respect to information collected or maintained by or on behalf of an agency; or that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”
The bill also includes new provisions to improve federal acquisition of technology products and services:
The Office of Federal Procurement Policy will work with the Chief Information Officer’s Council and the Federal Acquisition Institute shall ensure contracting officers have training in information security requirements.
The Office of Management and Budget also must write a report on possible impediments in the acquisition process that slow agency use of the newest, most secure technologies.
The General Services Administration shall develop a special item number under the IT schedule and consolidate under that SIN all information-security products and services.
OMB shall issue guidance within six months of the bill becoming law requiring agencies to purchase IT products only through authorized channels to reduce the use of counterfeit products.
The administration also is trying to address several of the same areas in the bill. For instance, the FISMA update requires the use of continuous monitoring. Federal CIO Steven VanRoekel said the budget would improve agency capabilities to find and stop threats against their networks.
“We also will be connecting the dots between on-premise systems and cloud based systems,” VanRoekel said Monday during a press call on the 2013 IT budget request. “This investment in the 2013 budget in conjunction with FedRAMP security controls will allow us to monitor whole government infrastructure whether on premise in federal facilities or in the cloud in a continuous way.”
‘Whole of government accountable’
And by making cybersecurity a cross-agency goal, it will place DHS on the civilian side and the National Security Agency on the Defense/Intelligence Community side in the fray to a larger extent.
“We will now hold the whole of government accountable in one way for cyber capabilities and examine threats in this holistic way,” he said. “I’m excited to see that come online.”
Neither VanRoekel nor the budget offers any further details on what the cross-agency goals mean.
The budget requests $202 million for a cybersecurity capability-improvement program at DHS to “further reduce the risk in the federal cyber domain” by addressing vulnerabilities, supporting continuous monitoring and improving the common operating pictures of threats across agencies.
DHS’s U.S. Computer Emergency Response Team (U.S.-CERT) would receive $15.3 million and 12 new employees.
Finally, DHS is asking for $117 million for network security deployment under the Einstein program.