From 1935 - 1997 there were only 11 “Lame Duck” congressional sessions. Once a rarity, they are now commonplace and have occurred in every congress since 1998. As the frequency of these sessions have increased over the last few years, Congress has used lame duck sessions to tackle languishing appropriations bills, beat year-end deadlines, confirm nominations, reauthorize the Defense and Intelligence communities, and, notably, to create the Department of Homeland Security (DHS) in 2002.
Last week was no exception to this trend of lame duck sessions proving to be Congress’s busiest work period, and marked a surprisingly active week for cybersecurity legislation.
To be certain, cybersecurity is clearly an area where voluntary industry initiatives and public-private partnerships are—and should be—the driver of effective policy and best practices to meet a constantly changing threat. Congress has ample opportunity to improve the cybersecurity landscape with targeted legislation that addresses critical federal cybersecurity needs, reflects lessons learned from congressional oversight, and complements successful government and private industry innovation taking place in this dynamic space.
Over the course of four days, with the help of the Senate’s hotline process, Congress passed five cybersecurity bills expected to be enacted into law shortly: the Federal Information Security Modernization Act of 2014 (S. 2521), National Cybersecurity Protection Act (S. 2519), Cybersecurity Enhancement Act of 2014 (S. 1353), Cybersecurity Workforce Assessment Act (H.R. 2952), and the Border Patrol Agent Reform Act (S. 1691). Each made notable changes to the federal cybersecurity landscape:
- Federal Information Security Modernization Act (FISMA) of 2014 (S.2521): Updates the federal government's cybersecurity practices by, among other things: 1) codifying DHS authority on government-wide cybersecurity, which is to supervise operational aspects of cyber policies and practices for non-national security information systems in federal civilian agencies; 2) reestablishing the Office of Management and Budget (OMB)'s oversight authority over federal agency information security policies; and 3) establishing requirements for data breach incident reporting to Congress.
- National Cybersecurity Protection Act (S.2519): Codifies the National Cybersecurity and Communications Integration Center (NCCIC), which DHS established in 2009, and the NCCIC's existing responsibilities. The NCCIC provides cybersecurity threat awareness data across the federal government, and it is the civilian interface with organizations outside the government.
- Cybersecurity Enhancement Act of 2014 (S. 1353): Recognizes and codifies the work by the National Institute of Standards and Technology (NIST) to coordinate closely with the private sector to identify a voluntary approach to help owners and operators of critical infrastructure to manage cybersecurity risks and prioritizes cybersecurity research and development (R&D) and education and workforce development. It also requires NIST to continue to coordinate with other federal agencies on the National Initiative for Cybersecurity Education (NICE), and directs NIST to continue its cloud computing strategy for federal agencies.
- Cybersecurity Workforce Assessment Act, (H.R. 2952): Requires DHS to internally assess their cybersecurity workforce and establish an agency workforce strategy within 1 year of enactment.
- Border Patrol Agent Pay Reform Act (S. 1691): Addresses DHS cybersecurity workforce recruitment and retention by providing the agency with the authority to more quickly recruit and hire candidates for certain cyber positions, appoint individuals to those positions and fix their compensation, and requires DHS to identify all cyber workforce positions.
The tech sector has long encouraged Congress to undertake actions like these, and we have been working closely with lawmakers throughout the process. Strengthening cybersecurity R&D, education and workforce development, and federal agencies’ cybersecurity activities are essential pieces of the puzzle, and we commend Congress for taking these steps to modernize and update these policies. We look forward to working with lawmakers next year to build upon these actions and tackle additional issues that will bolster our nation’s cybersecurity.