Continued Momentum on Cybersecurity Reform

In December of last year I reported that Senate Majority Leader Reid and Minority Leader McConnell were in talks on how best to approach cybersecurity reform. Senator Reid expressed preference for a comprehensive and holistic approach, and Senator McConnell expressed a preference for a piecemeal approach to reform.

So far, it appears that the piecemeal approach has prevailed. Senate Staff for the Commerce and Homeland Security Committees have begun floating several provisions of what may ultimately become the Cybersecurity Information Sharing Act of 2012 (CISA). Although there is no publicly available bill, there are several “staff discussion drafts” floating around. As things stand now, the most significant aspects of CISA include, reform of the Federal Information Security Management Act (FISMA) which currently requires federal agencies to maintain effective cybersecurity controls and measures in place. Under the new provisions FISMA would require a model of continuous compliance as opposed to quarterly or yearly security certifications. Second, CISA would provide a new framework comprised of voluntary and mandatory information sharing guidelines between the federal government and the private sector on matters related to the cybersecurity and protection of “critical infrastructures”, such as utility companies and nuclear facilities. Third, CISA would consolidate all federal authority for federal cybersecurity matters under the Department of Homeland Security.

It is unclear at this early stage whether the above referenced provisions will survive the final draft and/or whether new provisions will be added. Notwithstanding, there does seem to be general agreement that a cybersecurity bill needs to be enacted during this legislative session. This is true for both houses and parties, including the White House.