Wednesday, October 21, 2020

HR 8223 Introduced – Cyber Essentials Act

Last month Rep Katko (R,NY) introduced HR 8223, the Cyber Essentials Act. The bill would require CISA to publish and maintain guidelines for defending against common cybersecurity threats and cybersecurity risks.

The bill would amend 6 USC 653(b), adding a new function for the CISA Assistant Director for Cybersecurity. That new function would require the Assistant Director, in consultation with NIST, to “develop, publish, and update as necessary guidelines and processes for a national audience regarding usable evidence-based controls that have the most impact in defending against common cybersecurity threats and cybersecurity risks” {new §653(b)(4)}.

Section 2(b) of the bill provides that CISA would not be required to comply with the publish and comment requirements of the Paperwork Reduction Act in preparing this guidance.

There is no funding authorization in this bill.

Moving Forward

Katko and two of his cosponsors {Rep Langevin (D,RI) and Rep Rice (D,NY)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there is a chance (after the election) that this bill could be considered in Committee. The bill would almost certainly receive bipartisan support in Committee. The bill could be brought to the floor in the lame duck session under the suspension of the rules process, but it is unlikely that it would make it to the President’s desk this year.

Commentary

The two key cybersecurity terms used in this bill, ‘cybersecurity threat’ and ‘cybersecurity risk’ are defined in reference to two separate definitions of ‘information system’. The term ‘cybersecurity threat’ is based upon the more expansive, and control system inclusive, definition found in 6 USC 1501. The term ‘cybersecurity risk’ relies upon the IT restrictive definition from 44 USC 3508. Thus, the guidance could include information on protecting industrial control systems, building automation systems, and security control systems.

CISA does not currently list any cybersecurity guidance documents on its guidance document web page. There is nothing that would currently prevent CISA from publishing such documents. The relatively vague wording in this added requirement does not set a time limit or establish at what areas of the ‘national audience’ these guidance documents would be targeted. Along with the lack of specific funding for the process of developing such guidelines, this provides a wonderful example of Congress trying to appear to take action on cybersecurity without actually doing anything.

If this bill is not (as I suspect it will not) passed in this session, it will almost certainly be re-introduced in the 117th Congress.

1 comment:

Jake Brodsky said...

One of the few bright spots in today's contentious political climate is that when it comes to cybersecurity, there is not much difference of policy between the parties. I agree with you; this legislation is likely to re-emerge in the next congress.

 
/* Use this with templates/template-twocol.html */