The House Homeland Security Committee is in the process of collecting feedback on a draft critical infrastructure cybersecurity bill with the goal of marking up the legislation during the summer.
Written by Homeland Security Committee Chairman Michael McCaul (R-Tex.), the draft “National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act” would establish an intensive system aimed at boosting cyber threat information sharing between the government and the private sector. The bill would also attempt to spur the development of cybersecurity best practices for use by members of various critical infrastructure sectors, but it would not impose any new standards on critical infrastructure owners and operators through federal regulations.
According to a draft of the bill circulated to AMWA and other stakeholders in early June, the NCCIP Act would:
-
Direct DHS to designate an information sharing and analysis center (ISAC) “as the primary information sharing entity” for each critical infrastructure sector. ISACs would have to meet several operational requirements and coordinate with DHS and the relevant sector coordinating council (SCC) on policies and procedures to support cyber information sharing. ISACs would also share actionable cyber risk assessments, inform sector planning on cyber incident protection options, provide risk mitigation and cyber incident response capabilities for sector members, and safeguard cyber threat information from unauthorized disclosure.
-
Require DHS to designate an official SCC for each critical infrastructure sector to “serve as the primary policy, planning, and communications entity for coordinating” with DHS and other relevant agencies on critical infrastructure protection programs. SCCs would be required to develop guidelines “to mitigate cyber risks” within their sector, and take steps to encourage critical infrastructure entities within the sector to voluntarily adopt these guidelines. The SCCs would meet periodically with DHS to report on the progress of these efforts.
-
Recognize the National Cybersecurity and Communications Integration Center (NCCIC) at DHS as a 24/7 “information sharing interface” to share cyber threat information among all levels of government and critical infrastructure sectors.
-
Develop a national cybersecurity “see something, say something” campaign to individuals to proactively report cyber threat information to the NCCIC.
AMWA and WaterISAC jointly submitted feedback to Chairman McCaul in which they recognized the bill as consistent with McCaul’s pledge to avoid “heavy-handed regulations.” AMWA and WaterISAC also recommended several edits to improve the framework for communications between sector ISACs and DHS. Separately, questions have been raised about the feasibility of using various SCCs to develop and promote sector-specific cybersecurity best practices – especially without providing funding for this purpose.
Chairman McCaul had originally hoped to move the draft bill through the Homeland Security Committee before the end of June, but that timeframe has been pushed back to give committee staff additional time to sort through stakeholder comments.