Two recently enacted laws give the Department of Homeland Security (DHS) increased authority and ability to contain cybersecurity threats and breaches. Congress passed both the Federal Information Security Modernization Act and the DHS Cybersecurity Authority Act on December 10, 2014. President Obama signed them both in a marathon bill-signing session on the 18th, during which he signed fifty-one other bills.
Federal Information Security Modernization Act
The Federal Information Security Modernization Act (FISMA) is an update to the Federal Information Security Management Act, first passed in 2002. The modern version gives greater operational authority to DHS and enacts strict incident reporting requirements on government agencies. The bill allows the Director of the Office of Management and Budget (OMB) to issue “principles, standards, and guidelines” to agencies regarding information security. For day-to-day matters, the Secretary of DHS now has the ability to enact “binding operational directives” for individual agencies, to get them in compliance with the OMB guidelines. The 2002 bill left the oversight to each agency’s head, but this update bestows a supervisory power on the DHS Secretary to ensure that guidelines are met.
The bill also changes the reporting requirements of cybersecurity breaches and incidents for federal agencies. Under FISMA, the DHS Secretary is in charge of the Federal Information Security Incident Center, which collects data and helps agencies respond to information security threats. In addition to an annual report, each agency must report major incidents or security breaches within thirty days to Congress. The bill provides that the OMB Director should define what a “major incident” entails.
Tom Carper (D-Del.), who first introduced the bill, explained the need for it in 2013:
Federal agencies need to fully implement meaningful security programs that can withstand the serious cyber challenges we face today and will face for the foreseeable future … Given the growing cyber threats that America faces, I am now more determined than ever to put in place a comprehensive cyber policy to protect our nation, its people, its critical infrastructure, and its economy.
The bill can be found in its entirety here.
DHS Cybersecurity Authority Act
While FISMA increased DHS’s authority to control cybersecurity breaches, another bill passed by both houses this month increased its ability to do so. The DHS Cybersecurity Authority Act, as part of the Border Patrol Agent Pay Reform Act of 2014, was passed to improve recruiting, hiring, and retaining cybersecurity experts in DHS. It provides the DHS Secretary the authority to establish qualified positions for such experts and to set the experts’ rates of pay, including additional compensation like benefits. The bill will “improve [DHS’s] authority to compete with the private sector and other agencies to hire and retain the people it needs to combat the cyber threats our country faces,” according to Sen. Carper, who introduced this bill as well. The entire text of the bill can be found here.
Both bills were sent to President Obama on December 10th, and he signed both on the 18th. These measures coincide with the President’s public commitment to increased cybersecurity measures.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
