2020 outlook for cybersecurity legislation

CSO online has a round-up of what’s coming through Congress. Worth keeping an eye on…:

[…] Notable pieces of digital security-related bills that the House has passed include:

  1. R. 3710 – Cybersecurity Vulnerability Remediation Act: This bill was passed by the House in September and is now before the Senate Homeland Security and Governmental Affairs Committee, which has taken no action yet. The bill would allow the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) to issue protocols to mitigate vulnerabilities, and would allow the Science and Technology Directorate of the Department of Homeland Security to establish an incentive program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities.
  2. R.2331 – SBA Cyber Awareness Act and H.R.1649 – Small Business Development Center Cyber Training Act of 2019Both bills passed the House on July 15. The SBA Cyber Awareness Act addresses the cybersecurity of the Small Business Administration (SBA). It requires the SBA to report annually to Congress on SBA’s IT technology and any necessary improvements the agency’s technology infrastructure may need. It also requires SBA to provide an account of its IT equipment or interconnected system or subsystem of equipment manufactured by an entity that has its principal place of business in the People’s Republic of China.The annual report must further provide accounts of any cybersecurity incident SBA has encountered during the previous two years and how the government agency dealt with the incidents. The Small Business Development Center Cyber Training Act requires the SBA to establish a program for certifying that at least 5% or 10% of the total number of employees of a small business development center provide cybersecurity planning assistance to small businesses. Both bills have companion legislation in the Senate sponsored by Sen. Marco Rubio (R-FL) who chairs the Senate Small Business Committee and are awaiting votes by the full Senate.
  3. R. 328 – Hack Your State Department ActThis bill was one of the first cybersecurity measures passed by the House during the 116th Congress, enacted last January and quickly referred to the Senate where companion legislation was introduced on June 12. It requires the “Secretary of State to design and establish a Vulnerability Disclosure Process (VDP) to improve Department of State cybersecurity” and mandates a bug bounty program “to identify and report vulnerabilities of internet-facing information technology of the Department of State.”
  4. R. 1 – For the People Act of 2019: The first bill introduced in the new Congress was passed by the House on March 8. Among other things, this sweeping piece of legislation “sets forth provisions related to election security, including sharing intelligence information with state election officials, protecting the security of the voter rolls, supporting states in securing their election systems, developing a national strategy to protect the security and integrity of U.S. democratic institutions, establishing in the legislative branch the National Commission to Protect United States Democratic Institutions.”A companion bill in the Senate, S 949, was introduced in March. Of all the cybersecurity-related bills passed by the House, H.R. 1 is least likely to gain momentum in the Senate given stiff resistance by Majority Leader Mitch McConnell (R-KY), who has vowed to never bring what he perceives as overly progressive legislation to the Senate floor.

Senate-passed cybersecurity legislation

Some of the prominent pieces of information security-related legislation passed by the Senate and awaiting House action include:

  1. 333 – National Cybersecurity Preparedness Consortium Act of 2019Passed by the Senate on November 21 and referred to the House Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation on December 4, the bill allows the Department of Homeland Security to work together with a consortium composed of nonprofit entities to develop, update, and deliver cybersecurity training in support of homeland security.
  2. 1846 – State and Local Government Cybersecurity Act of 2019: Passed by the Senate on November 21 and referred to the House Committee on Homeland Security, and the Committees on Oversight and Reform, and Energy and Commerce on November 26, the bill authorizes the Homeland Security secretary to make grants to and enter into cooperative agreements or contracts with states, local, tribal, and territorial governments, and other non-federal entities, that the secretary determines necessary regarding cyber threat indicators, defensive measures and cybersecurity technologies, cybersecurity risks, incidents, analysis, and warnings.
  3. 406 – Federal Rotational Cyber Workforce Program Act of 2019: Passed by the Senate on April 30, 2019 and considered by the House Committee on Oversight and Reform, which has already held one markup session, the bill permits certain government agency employees to detail among rotational cyber workforce positions at other agencies.

Cybersecurity legislation in committee

A number of bills have been introduced or moved in either House or Senate committees and are likely candidates for further movement once Congress rolls up its sleeves after recess ends. Among them are:

  1. R. 3941 – The Federal Risk Authorization and Management Program (FedRAMP) Authorization Act: Introduced by the House on July 24, 2019 with the House Oversight and Reform Committee holding a markup session on December 19, 2019, this legislation is now ready for full House consideration. The bill establishes the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration. FedRAMP is a risk management, authorization, and continuous monitoring process to enable the Federal Government to leverage cloud computing services using a risk-based approach consistent with the Federal Information Security Modernization Act of 2014 and cloud-based operations. It also allocates $20 million for the initiative.

  2. R.1668 – IoT Cybersecurity Improvement Act of 2019Introduced on March 11, 2019, the bill was approved by the House Committee on Oversight and Reform and is awaiting action by the Committee on Science, Space, and Technology. On the Senate side, the companion bill (S.734) has been approved by the Homeland Security and Governmental Affairs Committee and is sitting on the Senate legislative calendar. The bill would give the National Institute of Standards and Technology (NIST) the authority for managing internet-of-things (IoT) cybersecurity risks for devices acquired by the federal government.

  3. R.4237 – Advancing Cybersecurity Diagnostics and Mitigation ActIntroduced in the House on September 6, 2019 and passed by the Committee on Homeland Security in October, the bill is awaiting consideration by the House Oversight and Reform Committee. The legislation’s Senate Companion (S. 2318) has yet to be considered or amended by the Homeland Security and Governmental Affairs Committee. The bill authorizes the Secretary of Homeland Security to establish a continuous diagnostics and mitigation program in the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.

  4. R.739 – Cyber Diplomacy Act of 2019: Introduced on January 24, 2019, and passed by the House Committee on Foreign Affairs in March, the bill has not received a vote on the floor of the House nor does it have a Senate companion. Among other provisions, the bill would establish the Office of International Cyberspace Policy at the State Department and seeks to establish accepted norms for responsible country behavior in cyberspace.

  5. 3033 – K-12 Cybersecurity Act of 2019This bill was introduced in the Senate Homeland Security and Government Affairs Committee shortly before recess on December 12, 2019 and is a response to the rash of ransomware attacks on government institutions and schools during 2019. It calls for DHS to create a set of guidelines to help schools improve their cybersecurity posture to better ward off these attacks.