A pair of critical infrastructure cybersecurity bills approved by Congress this month will codify the role of the National Cybersecurity and Critical Infrastructure Center (NCCIC), direct the center to help sectors prepare for and respond to cyber threats, and empower the National Institute of Standards and Technology (NIST) to develop strategies for critical infrastructure operators to defend themselves in cyberspace.
The first bill (the “National Cybersecurity Protection Act,” S. 2519) recognizes NCCIC as “a federal civilian information sharing interface” responsible for sharing real-time cyber threat information among critical infrastructure stakeholders, government representatives, and sector Information Sharing and Analysis Centers (ISACs). The final version of the bill eliminates earlier language that would have recognized an official Sector Coordinating Council (SCC) and ISAC for each critical infrastructure sector before the NCCIC. Instead, the bill as enacted directs the NCCIC to ensure “continuous, collaborative, and inclusive coordination” with all relevant SCCs and ISACs. S. 2519 also requires DHS officials to coordinate with these and other critical infrastructure stakeholders when maintaining and updating cyber incident response plans.
The second cybersecurity bill approved in the closing days of the 113th Congress (S. 1353, the “Cybersecurity Enhancement Act”) grants NIST authority to develop, with input from ISACs, SCCs and other stakeholders, “a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost effectively reduce cyber risks to critical infrastructure,” including major water systems. The bill does not grant any new regulatory authority nor allow NIST to require the adoption of any specific security measures. However, the bill does call for a biannual report on the extent to which critical infrastructure operators adopt the voluntary standards, the rationale for their decisions, and the success of the voluntary standards at protecting critical infrastructure against cyber threats.
In a December 11 statement, House Homeland Security Committee Chairman Michael McCaul (R-Tex.) called the passage of the bills “a historic moment in the fight against cyber-attacks.”