On June 21, 2023, DHS published a final rule that amends the Homeland Security Acquisition Regulation (HSAR) both by modifying the existing regulations through removing and updating existing clauses and by adding new contract clauses to include certain requirements for the safeguarding of Controlled Unclassified Information (CUI). The final rule, first released in proposed form
On April 17, 2018, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen delivered a keynote address at the RSA Conference. A copy of her prepared remarks is available here. Secretary Nielsen’s remarks highlighted efforts by DHS to address the evolving cybersecurity threats to our country’s critical infrastructure.
Secretary Nielsen set the stage by describing the realities of the cyber threat landscape: 2017 was a landmark year in terms of cyberattack volume, with nearly half of all Americans having their sensitive personal information exposed online and ransomware attacks spreading to more than 150 countries. The Secretary stated that cybercrime damages are estimated to reach $6 trillion annually by 2021, and suggested that the emergence of internet-connected devices could make us even more vulnerable to cyberattacks.
To address evolving cyber threats and more sophisticated threat actors, Secretary Nielsen posited a five part approach that DHS is taking to support a “more forward-leaning posture” in the cybersecurity area. Those five approaches are summarized below:…
Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity. On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs Directorate (NPPD), to increase protections for certain personally identifiable information (PII), and to emphasize the need for cybersecurity research. On the House side, the House Homeland Security Committee approved the Cyber Incident Response Teams Act, which would establish teams within DHS devoted to cyber incident response.
Continue Reading DHS Cybersecurity Legislation Advances Through Capitol Hill
Congress enacted the SAFETY Act in 2002 in an effort to incentivize the development of anti-terrorism technologies following the attacks of September 11, 2001. The Act affords liability protections to sellers of Qualified Anti-Terrorism Technologies (“QATTs”) in the event of an act of terrorism where QATTs are deployed. Although the SAFETY Act’s protections have not yet been tested in court, a recent publication from the Department of Homeland Security’s Office of SAFETY Act Implementation (“OSAI”) further explains and reaffirms how the Act’s most significant liability protection—the government contractor defense—would operate to protect a SAFETY Act-approved company sued in court following a terrorist attack.
Continue Reading OSAI Issues Guidance on the Government Contractor Defense for Certified Anti-terror Technologies
We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan. Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital. The potential consequences are devastating: death, injury, mass property destruction, environmental damage, and major utility service and business disruption. Now what if there were a mechanism that would incentivize industry to create and deploy robust and ever-evolving cybersecurity programs and protocols in defense of our nation’s critical infrastructure?
In late 2014, Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, proposed legislation that would surgically amend the SAFETY Act, which currently offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism. Rep. McCaul’s amendment would broaden this protection to cybersecurity technologies in the event of “qualifying cyber incidents.” The proposed legislation defines a “qualifying cyber incident” as an unlawful access that causes a “material level of damage, disruption, or casualties severely affecting the [U.S.] population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.” Put simply, under the proposed legislation, a cyber incident could trigger SAFETY Act protection without being deemed an act of terrorism.…
On December 18, 2014, President Obama signed a bill reforming the Federal Information Security Management Act of 2002 (“FISMA”). The new law updates and modernizes FISMA to provide a leadership role for the Department of Homeland Security, include security incident reporting requirements, and other key changes.
Background: FISMA was originally passed in 2002 to provide a framework for the development and maintenance of minimum security controls to protect federal information systems. FISMA charged the Director of the Office of Management and Budget (“OMB”) with oversight of agency information security policies and practices.
Changes: The newly signed law, the “Federal Information Security Modernization Act of 2014” (FISMA 2014”), makes several key changes to FISMA.
First, the law authorizes the Secretary of the Department of Homeland Security (“DHS”) to assist the OMB Director in administering the implementation of agency information and security practices for federal information systems. Among the Secretary’s responsibilities are convening meetings with senior agency officials, coordinating government-wide efforts for information security, consulting with the Director of the National Institute of Standards and Technology (“NIST”), and providing operational and technical assistance to agencies. Perhaps most importantly, the Secretary is tasked with developing and overseeing the implementation of “binding operational directives” to agencies to implement policies, principles, standards, and guidelines developed by the OMB Director. “Binding operational directives” are defined in FISMA 2014 as a “compulsory direction” to an agency “for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.”
This delegation of responsibility is likely related to another new law codifying DHS’s cybersecurity role, and authorizing a cybersecurity information-sharing hub, the National Cybersecurity and Communications Integrations Center.
Continue Reading FISMA Updated and Modernized