Obama Signs 5 Cybersecurity Bills

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/obama-signs-5-cybersecurity-bills-a-7697

Without ceremony, President Obama on Dec. 18 signed five
cybersecurity-related bills, including legislation to update the Federal
Information Security Management Act, the law that governs federal
government IT security.

It's the first time in 12 years that significant cybersecurity legislation
has become law. The last major piece of cybersecurity law to be passed by
Congress and signed by a president was the E-Government Act of 2002, which
included FISMA.

The five cybersecurity measures, among 48 bills the White House announced
the president had signed, include the:

- Federal Information Security Modernization Act, which codifies the
existing administration practice of having the Office of Management and
Budget determine IT security policies for federal agencies. In addition,
the law grants the Department of Homeland Security authority to carry out
the operational aspects of those policies among civilian agencies (see
FISMA Reform Heading to the White House).

The statute eliminates the 12-year-old requirement that agencies must
submit a checklist showing their IT systems and processes comply with
security standards and controls. Instead, under FISMA reform, agencies are
required to continuously monitor their systems for vulnerabilities.

-  Homeland Security Workforce Assessment Act, a rider on the Border Patrol
Agent Pay Reform Act, which identifies and fills key cybersecurity
positions at DHS and provides competitive compensation. The statute also
calls for a process to identify IT security skills the DHS needs to fill.

"Slow and cumbersome hiring procedures have been a persistent challenge for
DHS when competing for scarce cybersecurity talent," says Diana Burley, a
Georgetown University professor who studies government IT security
employment. "This bill will reduce these barriers to entry and enhance
DHS's ability to compete with other agencies - most notably NSA and DoD -
in hiring the limited number of cybersecurity professionals."

- Cybersecurity Workforce Assessment Act, which requires the DHS to assess
its cybersecurity workforce and develop a comprehensive strategy to enhance
the readiness, capacity, training, recruitment and retention of its
cybersecurity workforce.

- National Cybersecurity Protection Act, which codifies the National
Cybersecurity and Communications Integration Center, a 24x7 cyber
situational awareness, incident response and management center that is a
national nexus of cyber and communications integration for the federal
government, intelligence community and law enforcement. The NCCIC shares
information among the public and private sectors to provide greater
understanding of cybersecurity and communications situation awareness of
vulnerabilities, intrusions, incidents, and mitigation and recovery actions.

"It is critical that the department continues to build strong relationships
with business, state and local governments and other entities across the
country so that we can all be better prepared to stop cyber-attacks and
quickly address those intrusions that do occur," says bill sponsor, Sen.
Tom Carper, D-Del.

- Cybersecurity Enhancement Act, which authorizes the Department of
Commerce, through its National Institute of Standards and Technology unit,
to facilitate and support the development of voluntary standards to reduce
cyber-risks to critical infrastructure. The law also requires the Office of
Science and Technology Policy to develop a federal cybersecurity research
and development plan (see Bill OK'd to Enhance NIST Cybersecurity Role).

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!