UPDATE, 6/11: The Homeland Security Committee has postponed the planned markup of the "National Cybersecurity and Critical Infrastructure Protection Act" until later this month, according to committee staff.
This Thursday a House Homeland Security subcommittee will mark up critical infrastructure cybersecurity legislation that includes new responsibilities for Information Sharing and Analysis Centers (ISACs) and Sector Coordinating Councils (SCCs).
House Homeland Security Committee Chairman Michael McCaul (R-Tex.) drafted the bill, known as the “National Cybersecurity and Critical Infrastructure Protection Act.” McCaul spoke about the effort at AMWA’s Water Policy Conference in March and told attendees that his bill would not impose “heavy-handed regulations” on critical infrastructure owners and operators. The draft measure appears to keep that promise, though it would establish an intensive system to guide industry development of voluntary cybersecurity standards.
The bill would also require SCCs to develop guidelines “to mitigate cyber risks” within their sectors and take steps to encourage owners and operators to voluntarily adopt these guidelines. The federal government is already at work developing voluntary guidelines under the recent White House Executive Order on cybersecurity. The bill would put this responsibility in the hands of industry.
Among its provisions, the draft bill would direct the Department of Homeland Security (DHS) to designate an ISAC “as the primary information sharing entity” for each critical infrastructure sector. ISACs would share actionable cyber risk assessments, inform sector planning on cyber incident protection options, provide risk mitigation and cyber incident response capabilities for sector members and safeguard cyber threat information from unauthorized disclosure. Most critical infrastructure sectors have already established ISACs, such as WaterISAC, which AMWA operates.
McCaul's bill also directs DHS to develop a national “see something, say something” campaign to encourage individuals, particularly owners and operators, to proactively report cyber threat information to DHS's National Cybersecurity and Communications Integration Center.
Speaking to reporters last week, McCaul reiterated that his bill would include “no regulations,” but only “industry-driven” standards and best practices. Assuming the measure advances through subcommittee this week, the full Homeland Security Committee could consider the bill before the end of the month.