There are currently three major cybersecurity-related bills pending in the 114th Congress that address information sharing among private entities and between private entities and the federal government: the Protecting Cyber Networks Act (PCNA), H.R. 1560, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA), H.R. 1731, and the Cyber Security Information Act of 2015 (CISA), S. 754. Some of the key issues that need to be resolved across these bills include: which agency will be designated as the lead as a clearinghouse for cyber threat information, what liability protections will be granted to those companies that do share information, and whether the structures established under any of these bills will also facilitate greater sharing of government threat information with the private sector. Although the bills all provide that existing reporting requirements will not be disturbed, such as those for Department of Defense “(DOD”) contractors, it remains unclear how these different reporting schemes will interact. Similarly, these bills do not address a provision in the House version of the 2016 National Defense Authorization Act that would provide liability protection to certain DOD contractors for properly reporting cyber incidents on their networks and information systems.

Restrictions on the sharing of cyber threat and vulnerability information are often raised as significant barriers to effective cybersecurity. But the sharing of such information is not without risk. In particular, private entities have raised concerns about how the government would use this information and whether such disclosures could result in antitrust, privacy or other legal complications. These bills look to increase incentives for cooperation between the government and the private sector in fending off cyber-attacks by encouraging private companies to voluntarily share information about the particular traits of cyber-attacks—what the bills refer to as “cyber threat indicators”—that they have previously encountered. In response to some of the concerns previously voiced by industry, these bills provide civil suit immunity for private entities that elect to share their information with each other and with the government. The bills also contain liability protection for contractors who monitor government computer systems. What follows is a brief comparison of all three major bills and why their different approaches may or may not benefit government contractors.

Continue Reading Competing Bills Focus on Cybersecurity Information Sharing But Final Language and Ultimate Passage Remain Unknown

On December 18, 2014, President Obama signed a bill reforming the Federal Information Security Management Act of 2002 (“FISMA”). The new law updates and modernizes FISMA to provide a leadership role for the Department of Homeland Security, include security incident reporting requirements, and other key changes.

Background:  FISMA was originally passed in 2002 to provide a framework for the development and maintenance of minimum security controls to protect federal information systems. FISMA charged the Director of the Office of Management and Budget (“OMB”) with oversight of agency information security policies and practices.

Changes:  The newly signed law, the “Federal Information Security Modernization Act of 2014” (FISMA 2014”), makes several key changes to FISMA.

First, the law authorizes the Secretary of the Department of Homeland Security (“DHS”) to assist the OMB Director in administering the implementation of agency information and security practices for federal information systems. Among the Secretary’s responsibilities are convening meetings with senior agency officials, coordinating government-wide efforts for information security, consulting with the Director of the National Institute of Standards and Technology (“NIST”), and providing operational and technical assistance to agencies. Perhaps most importantly, the Secretary is tasked with developing and overseeing the implementation of “binding operational directives” to agencies to implement policies, principles, standards, and guidelines developed by the OMB Director. “Binding operational directives” are defined in FISMA 2014 as a “compulsory direction” to an agency “for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.”

This delegation of responsibility is likely related to another new law codifying DHS’s cybersecurity role, and authorizing a cybersecurity information-sharing hub, the National Cybersecurity and Communications Integrations Center.
Continue Reading FISMA Updated and Modernized