House Homeland Security Committee Chairman Michael McCaul (R-Tex.) began circulating an updated draft of critical infrastructure cybersecurity legislation to Washington stakeholders in September, suggesting the bill could be formally introduced in the near future.
Chairman McCaul had initially hoped to move his “National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act” through the Homeland Security Committee before the end of June, but the process was delayed as committee staff worked to address several problems identified by critical infrastructure stakeholders. AMWA and WaterISAC played a role in this process, jointly writing to Chairman McCaul in June with several suggested improvements to an earlier draft of the bill.
The latest NCCIP Act includes substantial changes to sections promoting the development cybersecurity standards by critical infrastructure stakeholders. While the earlier draft bill would have required sector coordinating councils (SCCs) to develop “voluntary” cyber standards, and then encourage their sector members to implement them, the newer draft only directs DHS and the National Institute of Standards and Technology (NIST) to offer logistical support to SCCs that wish to develop cybersecurity standards. This new draft closely matches language from the “Cybersecurity Act” (S. 1353), a bipartisan bill the Senate Commerce Committee approved in July.
Other parts of the new draft still resemble Chairman McCaul’s earlier version, such as by codifying the role of the National Cybersecurity and Communications Integration Center (NCCIC) within DHS to compile information on cyber threats and establish information sharing arrangements with critical infrastructure sector representatives and entities. The bill would also codify in statute the relationships between SCCs and Information Sharing and Analysis Centers (ISACs) for the purpose of sharing cyber-threat information. The legislation would grant DHS no new regulatory authority.
It remains uncertain whether the NCCIP Act has a clear path forward in the House of Representatives. Though there is bipartisan agreement on the need to improve the nation’s cybersecurity, congressional Republicans remain generally skeptical of establishing new bureaucratic regimes. Conversely, many Democrats on Capitol Hill have called for a stronger cybersecurity bill that would impose binding mandates on critical infrastructure owners and operators, so they are unlikely to support cyber legislation that lacks these features.