Legislation approved by the House of Representatives in late July would formalize information-sharing agreements between the federal government and critical infrastructure operators and encourage the development of sector-specific cybersecurity best practices – without giving new regulatory authority to DHS or any other agency.
Sponsored by House Homeland Security Committee Chairman Michael McCaul (R-Tex.), the “National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act” (H.R. 3696) passed the House of Representatives by a unanimous voice vote. The final bill included few major changes compared to a version the Homeland Security Committee approved in February.
Notable provisions of H.R. 3696 would:
- Officially designate the National Cybersecurity and Critical Infrastructure Center (NCCIC) as “a federal civilian information sharing interface” responsible for sharing real-time cyber threat information among critical infrastructure stakeholders, government representatives, and sector Information Sharing and Analysis Centers (ISACs).
- Formally recognize a Sector Coordinating Council (SCC) and an ISAC for each critical infrastructure sector. SCCs would function as a “primary policy, planning, and strategic communications entity for coordinating” with DHS and other relevant agencies on cybersecurity programs, while ISACs would carry out information sharing and emergency response coordinating responsibilities for each sector and aid in the development of procedures to support information-sharing mechanisms with the NCCIC. Nothing in the bill would prevent existing SCCs and ISACs from carrying out these responsibilities.
- Direct the National Institute of Standards and Technology (NIST), in cooperation with relevant ISACs and SCCs, to develop voluntary, industry-led cybersecurity standards and best practices for each critical infrastructure sector, including the water and wastewater sector. The subsequent adoption of any standards or practices by a critical infrastructure owner would be strictly voluntary, and the government would not gain the power to force implementation of any particular security measure.
Additionally, the bill would require DHS to meet biannually with each SCC to discuss the latest cyber threat information, and periodically report to Congress on cybersecurity threats to each sector.
In a statement released after the bill’s approval, Chairman McCaul said the measure would help reverse the nation’s “pre-9/11 mindset” on cybersecurity without imposing “burdensome mandates or regulations.” There is no word yet on when the Senate might take up the bill.