Last week Rep Slotkin (D,MI) introduced HR 3223, the CISA Cyber Exercise Act. The bill would establish in CISA the National Cyber Exercise Program. It also takes care of some administrative changes to the section numbering in Subtitle A of title XXII of the Homeland Security Act of 2002.
Cyber Exercise Program
Section 2(a) of the bill amends the Homeland Security Act of 2002 by adding a new §2220A, National Cyber Exercise Program. It establishes in CISA the National Cyber Exercise Program to evaluate the National Cyber Incident Response Plan, and other related plans and strategies. The program will be {new §2220A(a)(2)(A)}:
• Based on current risk
assessments, including credible threats, vulnerabilities, and consequences,
• Designed, to the extent
practicable, to simulate the partial or complete incapacitation of a government
or critical infrastructure network resulting from a cyber incident,
• Designed to provide for the
systematic evaluation of cyber readiness and enhance operational understanding
of the cyber incident response system and relevant information sharing
agreements, and
• Designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.
The Exercise Program will include a selection of model exercises that State, local, and Tribal governments, as well as private sector entities, could use in the design, implementation, and evaluation of exercises that {new §2220A(a)(2)(B)(ii)}:
• Conform to the requirements
described above,
• Are consistent with any
applicable national, State, local, or Tribal strategy or plan, and
• Provide for systematic evaluation of readiness.
HSA Cleanup
Congress writes many of their homeland security bills as amendments to the Homeland Security Act of 2002. The piecemeal nature of these amendments frequently results in section numbering issues that have to be created. The current version of the HSA has a series of these issues in Subtitle A,Cybersecurity and Infrastructure Security, of Title XXII. The table of contents shows:
Sec. 2214. National Asset Database.
Sec. 2215. Sector Risk Management
Agencies.
Sec. 2215. Cybersecurity State Coordinator.
Sec. 2215. Joint cyber planning
office.
Sec. 2215. Duties and authorities
relating to.gov internet domain.
Sec. 2216. Cybersecurity Advisory
Committee.
Sec. 2217. Cybersecurity Education and Training Programs.
Section 2(b) of the bill corrects this multiple §2215 situation so that the revised table of contents will read:
Sec. 2214. National Asset Database.
Sec. 2215. Duties and authorities
relating to .gov internet domain.
Sec. 2216. Joint cyber planning
office.
Sec. 2217. Cybersecurity State
Coordinator.
Sec. 2218. Sector Risk Management
Agencies.
Sec. 2219. Cybersecurity Advisory
Committee.
Sec. 2220. Cybersecurity Education
and Training Programs.
Sec. 2220A. National Cyber Exercise Program.
Moving Forward
As I mentioned earlier, this bill will be marked up this afternoon by the House Homeland Security Committee. I expect that the bill will receive substantial bipartisan support. I then expect it to be considered by the full House under the suspension of the rules process.
Commentary
CISA, and it’s predecessor agency, have already been holding a series of national cybersecurity exercises, so this bill is not really starting something new with the National Cyber Exercise Program. I am not sure if CISA has had a formal program for being able to share exercise models with State, local and Tribal governments so this may be an addition to the existing program.
It would be nice if CISA were able to stand up something
like the TSA’s Exercise
Information System to aid in the development of industry and local
government cybersecurity exercises. Unfortunately, this bill does not go quite
that far, and it does not provide for any funding that would allow for that
type of expansion.
Posts
No comments:
Post a Comment