Tuesday Rep. Richmond (D, LA) introduced HR 3510,
the Department of Homeland Security Cybersecurity Strategy Act of 2015. The
bill adds a new section to Subtitle C of title II of the Homeland Security Act
requiring the DHS Secretary to develop a cybersecurity strategy for the
Department.
Cybersecurity
Strategy
The new §230
in the bill requires that the strategy include {§230(b)}:
• Strategic and operational goals
and priorities to successfully execute the full range of the Secretary’s
cybersecurity responsibilities; and
• Information on the programs, policies, and
activities that are required to successfully execute the full range of the
Secretary’s cybersecurity responsibilities.
The bill requires the Secretary to develop the strategy
within 60 days of the bills adoption {§230(d)}.
Then, thirty days after that the Secretary is required to develop a plan to
implement the strategy.
The bill does prohibit the Secretary from reorganizing “departmental
components or offices” {§230(f)}without
Congressional authorization.
Moving Forward
The bill was considered in a markup
hearing this morning in the Cybersecurity, Infrastructure Protection, and
Security Technologies Subcommittee of the House Homeland Security Committee. No
amendments were offered and the bill was adopted by a voice vote. That
typically indicates substantial bipartisan support for the bill.
Richmond is the Ranking member of the Subcommittee and on
non-partisan bills (like this) that typically means that he has enough pull to
see this bill through the committee consideration process. This is a bill that
should move quickly to full committee consideration. When it makes it to the
floor of the House is a completely different story. That will depend on whether
or not Rep. McCaul (R,TX) gets behind the bill.
Because of the non-controversial nature of the bill and the
fact that it requires no new regulations or funding, I would suspect that the
bill would be considered under suspension of the rules and be approved by a
substantially bipartisan vote if it does reach the floor.
Commentary
The bill does not make any distinction between statutory and
regulatory responsibilities in defining what areas should be covered by the strategy.
The bulk of the Departments statutory cybersecurity responsibility rests with
Federal information system security, and that is undoubtedly the main focus of
the intent of this legislation.
The relationship of the Secretary to private sector
cybersecurity is a completely different matter. The CFATS program, for instance,
does not include any specific reference to cybersecurity measures in its
authorizing language (6
USC 622) but there are certainly cybersecurity requirements in the CFATS
regulations {eg; 6
CFR 27.230(a)(8)}. It is unclear if the strategy is required to address the
implementation of these cybersecurity requirements in DHS regulations.
Considering the short time limit for formulating the
strategy and then the implementation plan I suspect that the Department would
take the high-road and only include the statutory cybersecurity requirements in
the development of the new strategy. It would make a great deal of sense to do
so from a bureaucratic point of view and it would almost certainly satisfy the
crafters of this legislation.
On the other hand, the public sector would probably benefit
more from a strategy that is more focused on the regulatory responsibilities of
the Department. Better codification of the requirements of Risk
Based Performance Standard 8 for the CFATS program and a clearer
understanding of the support to be provided by the ICS-CERT for activities
under that RBPS would be a lot more helpful to chemical facilities covered by
the CFATS program.
Posts
No comments:
Post a Comment