The Senate Commerce Committee last week unanimously approved a critical infrastructure cybersecurity bill that had been introduced earlier in July by Chairman Jay Rockefeller (D-W.Va.) and ranking Republican John Thune (R-S.D.).
Under S. 1353, the "Cybersecurity Act," the National Institute of Standards and Technology (NIST) would work with critical infrastructure ISACs and sector coordinating councils to develop "a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks" to critical infrastructure, including major water systems. The government would have no power to require critical infrastructure entities to implement the voluntary standards, although an amendment accepted during the markup calls for a study on the extent to which infrastructure operators adopt the standards, the rationale for their decisions, and the success of the voluntary standards at protecting critical infrastructure against cyber threats.
The bill appears largely to codify the Cybersecurity Framework provisions of Executive Order 13636.
Speaking during last week’s markup, Chairman Rockefeller said the bill "doesn’t do everything we need to do to improve our cybersecurity," but said the measure represents "a good start."
The full U.S. Senate is unlikely to consider S. 1353 on its own. Instead, Rockefeller and Thune said they hope the bill will be sent to the floor as part of a larger cybersecurity package that combines legislation produced from the various Senate committees with jurisdiction over the issue – assuming those other committees are able to approve their own cyber bills this year.
Meanwhile, House Homeland Security Committee Chairman Michael McCaul (R-Tex.) is developing his own cybersecurity bill. According to an early discussion draft, titled the "National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act," the bill would establish an intensive system aimed at boosting cyber threat information sharing between the government and the private sector. The bill would also attempt to spur the development of cybersecurity best practices for use by members of various critical infrastructure sectors, but it would not impose any new standards on critical infrastructure owners and operators through federal regulations.
Unlike S. 1353, the McCaul bill would not direct NIST to develop voluntary standards.
The House Homeland Security Committee is in the process of collecting feedback on the draft.