Thursday, September 17, 2015

HR 3510 Introduced – Cybersecurity Strategy

Tuesday Rep. Richmond (D, LA) introduced HR 3510, the Department of Homeland Security Cybersecurity Strategy Act of 2015. The bill adds a new section to Subtitle C of title II of the Homeland Security Act requiring the DHS Secretary to develop a cybersecurity strategy for the Department.

Cybersecurity Strategy

The new §230 in the bill requires that the strategy include {§230(b)}:

• Strategic and operational goals and priorities to successfully execute the full range of the Secretary’s cybersecurity responsibilities; and
• Information on the programs, policies, and activities that are required to successfully execute the full range of the Secretary’s cybersecurity responsibilities.

The bill requires the Secretary to develop the strategy within 60 days of the bills adoption {§230(d)}. Then, thirty days after that the Secretary is required to develop a plan to implement the strategy.

The bill does prohibit the Secretary from reorganizing “departmental components or offices” {§230(f)}without Congressional authorization.

Moving Forward

The bill was considered in a markup hearing this morning in the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee. No amendments were offered and the bill was adopted by a voice vote. That typically indicates substantial bipartisan support for the bill.

Richmond is the Ranking member of the Subcommittee and on non-partisan bills (like this) that typically means that he has enough pull to see this bill through the committee consideration process. This is a bill that should move quickly to full committee consideration. When it makes it to the floor of the House is a completely different story. That will depend on whether or not Rep. McCaul (R,TX) gets behind the bill.

Because of the non-controversial nature of the bill and the fact that it requires no new regulations or funding, I would suspect that the bill would be considered under suspension of the rules and be approved by a substantially bipartisan vote if it does reach the floor.


The bill does not make any distinction between statutory and regulatory responsibilities in defining what areas should be covered by the strategy. The bulk of the Departments statutory cybersecurity responsibility rests with Federal information system security, and that is undoubtedly the main focus of the intent of this legislation.

The relationship of the Secretary to private sector cybersecurity is a completely different matter. The CFATS program, for instance, does not include any specific reference to cybersecurity measures in its authorizing language (6 USC 622) but there are certainly cybersecurity requirements in the CFATS regulations {eg; 6 CFR 27.230(a)(8)}. It is unclear if the strategy is required to address the implementation of these cybersecurity requirements in DHS regulations.

Considering the short time limit for formulating the strategy and then the implementation plan I suspect that the Department would take the high-road and only include the statutory cybersecurity requirements in the development of the new strategy. It would make a great deal of sense to do so from a bureaucratic point of view and it would almost certainly satisfy the crafters of this legislation.

On the other hand, the public sector would probably benefit more from a strategy that is more focused on the regulatory responsibilities of the Department. Better codification of the requirements of Risk Based Performance Standard 8 for the CFATS program and a clearer understanding of the support to be provided by the ICS-CERT for activities under that RBPS would be a lot more helpful to chemical facilities covered by the CFATS program.

No comments:

/* Use this with templates/template-twocol.html */