Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity.  On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs Directorate (NPPD), to increase protections for certain personally identifiable information (PII), and to emphasize the need for cybersecurity research.  On the House side, the House Homeland Security Committee approved the Cyber Incident Response Teams Act, which would establish teams within DHS devoted to cyber incident response.

Department of Homeland Security Reauthorization Bill

On March 7, the Senate Homeland Security and Governmental Affairs Committee approved H.R. 2825, which, if enacted into law, would be the first reauthorization of DHS since it was created in response to the September 11 attacks.  The Senate version of the bill added a number of cybersecurity related amendments.  Under one amendment, the NPPD would be renamed and reorganized as the Cybersecurity and Infrastructure Security Agency.  Among its enumerated responsibilities, this Agency would “lead cybersecurity and critical infrastructure security programs, operations, and associated policy for the Agency, including national cybersecurity asset response activities” and carry out its “cybersecurity and critical infrastructure activities” in coordination with Federal and private entities.  On the Senate Committee’s website, Senator Ron Johnson (R-WI), Chairman of the Committee, is quoted as stating, “Establishing an agency within DHS to focus on cyber and infrastructure security will help DHS achieve its missions.” A second amendment would require U.S. Customs and Border Protection (CBP) to remove personally identifiable information, including social security numbers, passport numbers, and residential addresses, from any manifest signed and transmitted to the CBP before it is disclosed to the public.  Finally, a third amendment, requires the Under Secretary for Science and Technology to support “research, development, testing, evaluation, and transition of new cybersecurity technologies” and to coordinate those activities with other Federal agencies, industry, and academia.  To help spur this development, the bill also extends DHS’ authority to  award other transaction authority agreements consistent with the Department of Defense’s recent push for quicker and more flexible agreements with non-traditional contractors.

Two proposed amendments were not included in the bill but it is possible that these amendments could still find their way into the final bill.  The first amendment would have increased DHS’ role in assisting states with monitoring and addressing cybersecurity threats and vulnerabilities during their elections.  The second amendment would have clarified liability protections for cybersecurity technology developers under the SAFETY Act.  Currently, the SAFETY Act offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism.  This amendment would have extended the SAFETY Act program to cybersecurity technologies and services by granting liability protections to industry for a terrorist act or a “declared cyber incident” that is caused by malicious cyber actors.  A date has yet to be set for the full Senate to vote on the DHS reauthorization bill.  The House passed its version of the bill last July.

Cyber Incident Response Teams Act

Also on March 7, the House Homeland Security Committee unanimously approved H.R. 5074, the Cyber Incident Response Teams Act.  This Act would authorize the National Cybersecurity and Communications Integration Center within DHS to establish “cyber hunt and incident response teams.”  Such teams would be responsible for assisting “asset owners and operators in restoring services following a cyber incident,” identifying any “cybersecurity risk and unauthorized cyber activity,” and offering both “mitigation strategies to prevent, deter, and protect against cybersecurity risks” and “recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks.”  Some members of the House Committee on Homeland Security have suggested that the Cyber Incident Response Teams’ scope of assistance would also include recommendations regarding the cybersecurity of election infrastructure.

The composition of these Cyber Incident Response Teams would not be limited to just governmental employees.  Rather, the Act expressly authorizes the inclusion of “cybersecurity specialists from the private sector,” enabling DHS to rely on specialist expertise outside of the government when addressing threats and attacks.  Although the assistance is “upon request,” private companies may be reluctant to permit private sector specialists access to very sensitive information about their networks and/or a potential breach.  The Act also would require the National Cybersecurity and Communications Integration Center report every four years to the House Committee on Homeland Security and the Senate Homeland Security and Governmental Affairs Committee.  Their report will include the “total number of incident response requests received,” the “number of incident response tickets opened,” and “all interagency staffing of incident response teams,” as well as provide information regarding “interagency collaborations established to support incident response teams.”  A date has yet to be set for the full House to vote on the Cyber Incident Response Teams Act.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Raymond Biagini Raymond Biagini

A distinguished counselor and litigator, Raymond Biagini has risen to national prominence in a number of high-profile tort cases, defending commercial and government contractors in:

  • “Contractor on the Battlefield” tort litigation;
  • the Exxon Valdez litigation;
  • the Cell Phone Radiation Hazards lawsuits;
  • the “Fen-Phen”

A distinguished counselor and litigator, Raymond Biagini has risen to national prominence in a number of high-profile tort cases, defending commercial and government contractors in:

  • “Contractor on the Battlefield” tort litigation;
  • the Exxon Valdez litigation;
  • the Cell Phone Radiation Hazards lawsuits;
  • the “Fen-Phen” litigation;
  • the nationwide Repetitive Stress Injury suits;
  • claims arising out of “friendly fire” accidents during Operation Desert Storm; and
  • “war crimes” allegations filed against manufacturers of military weapons systems sold to Israel.

Ray is widely recognized for his expertise in defending “contractors on the battlefield” in tort litigation, and he has established ground-breaking legal principles at the federal appellate level which immunize defense contractors from tort liability arising out of combatant scenarios.

Ray also has an extensive product liability prevention practice, counseling companies on mechanisms for reducing their tort exposure for products and services sold to government and commercial entities. He is significantly involved in counseling companies selling “homeland security” products and services, such as chemical/biological detection devices, perimeter security systems, biometric identity products, and airport security systems. Ray conceptualized and authored key provisions of the SAFETY Act, a new federal statute that is part of the Homeland Security Act of 2002. The SAFETY Act protects companies from tort lawsuits arising out of the sale of homeland security products and services. 

Ray has represented some of the world’s largest aerospace, defense and pharmaceutical companies, including Kellogg Brown & Root, Lockheed Martin, BAE SYSTEMS, Boeing, Textron, SAIC, Teledyne, Eon Labs, Unisys, and Philips Electronics. He is a frequent public speaker on risk mitigation techniques.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.