The House Homeland Security Committee this month unanimously approved legislation from Chairman Michael McCaul (R-Tex.) and ranking member Bennie Thompson (D-Miss.) that would formalize information-sharing agreements between the federal government and critical infrastructure operators and encourage the development of sector-specific cybersecurity best practices. H.R. 3696, the "National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act," is now cleared for the House floor, though House GOP leaders have not indicated when they may bring the bill up for a vote.
Members of the Homeland Security Committee only made minor changes to H.R. 3696 during a February 5 markup, such as adding language to evaluate vulnerabilities of safety communications networks in case of a cyberattack, and requiring the National Cybersecurity and Communications Integration Center (NCICC) to participate in exercises to test and assess preparedness and resiliency.
Left largely unchanged at the markup were sections of the bill to codify ongoing cybersecurity information sharing efforts between the federal government and critical infrastructure sector, such as:
- Designating the NCCIC as "a federal civilian information sharing interface" responsible for sharing real-time cyber threat information among critical infrastructure stakeholders, government representatives, and sector Information Sharing and Analysis Centers (ISACs).
- Formally recognizing a Sector Coordinating Council (SCC) for each critical infrastructure sector. SCCs would "serve as the primary policy, planning, and communications entity for coordinating" with DHS and other relevant agencies on cybersecurity programs.
- Recognizing at least one ISAC for each sector. ISACs would carry out information sharing and emergency response coordinating responsibilities for each sector, and aid in the development of procedures to support information-sharing mechanisms with the NCCIC.
Other sections of the bill would direct the National Institute of Standards and Technology (NIST), in cooperation with relevant ISACs and SCCs, to develop voluntary, industry-led cybersecurity standards and best practices for each critical infrastructure sector, including water and wastewater. The subsequent adoption of any standards or practices by a critical infrastructure owner would be strictly voluntary, and the government would not gain the power to force implementation of any particular security measure. Instead, DHS would be required to meet periodically with various SCCs to discuss cyber threat information, and report to Congress on various cyber threats and the status of the voluntary standards offered to each sector.
House Republican leaders have not announced any timeframe for bringing the bill to the House floor.