The Senate Committee on Commerce, Science, and Transportation on Tuesday unanimously approved a bipartisan bill that bolsters efforts by the National Institute of Standards and Technology (NIST) to craft a cybersecurity framework.
The Cybersecurity Act of 2013 (S. 1353) introduced last week by Committee Chair Jay Rockefeller IV (D-W.V.) and Ranking Member John Thune (R-S.D.) would give NIST authority to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure. The bill would also ensure that the federal government supports cutting-edge research, raises public awareness of cyber risks, and improves the nation’s workforce to better address cyber threats.
The committee adopted five amendments to the bill during Tuesday’s markup, including one that requires the Government Accountability Office to gauge NIST’s progress every two years and another that would establish research centers for cybersecurity.
A bipartisan cybersecurity bill was twice blocked by filibuster in the Senate last year, even though sponsors watered down the legislation to make minimum security standards voluntary. The 2013 version is backed by industry.
The Electric Edison Institute (EEI), an association that represents all investor-owned electric companies in the nation, applauded the committee’s passage of the bill on Tuesday. EEI President Tom Kuhn said the bill acknowledged "important roles of industry and government to secure cyber assets, and respects the existing mandatory and enforceable cybersecurity standards that currently govern the electric and nuclear sectors." The bill passed on Tuesday also builds on existing regulatory structures and leverages progress being made under the Improving Critical Infrastructure Cybersecurity Executive Order, Kuhn noted.
President Obama in February signed that executive order after Congress failed to pass cybersecurity legislation. The order directs federal agencies to use their existing authorities to provide better cybersecurity for the nation through increased collaboration with the private sector. As well as requiring federal agencies to produce unclassified reports of threats to U.S. companies and requiring the reports to be shared in a timely manner, the order directs NIST, in collaboration with industry, to lead the development of a framework of cybersecurity practices to reduce cyber risks to critical infrastructure. The framework is due in October.
Earlier this month, NIST posted a draft outline of the cybersecurity framework for public review. The outline proposes a core structure for the framework and includes a user’s guide and an executive overview that describes the purpose, need, and application of the framework in business. The Commerce Department agency has also already held a set of related workshops with industry groups around the nation.
This May, in an initial analysis of responses concerning development of a cybersecurity framework, NIST noted that a majority of respondents prefer the use of risk-based approaches rather than compliance-based approaches. Meanwhile, some power sector entities, such as the National Rural Electric Cooperative Association, have pointed out that power sector entities that own or operate assets on the bulk electric system are already required to adhere to one or more the North American Electric Reliability Corp.’s (NERC’s) nine cybersecurity standards (known as Critical Infrastructure Protection [CIP] standards) and cybersecurity standards mandated by the Nuclear Regulatory Commission. Covered entities found in violation of the CIP standards could be subject to fines as high as one million dollars per day per violation.
The Cybersecurity Act of 2013, which passed in committee on Tuesday, does not require companies to adopt the best practices and standards that will be included in NIST’s final framework.
In a letter to Sens. Rockefeller and Thune on Monday, the U.S. Chamber of Commerce lauded the bill because it is "narrowly tailored and industry-focused." The Chamber said it backs S. 1353 because it "stops short of codifying elements of the administration’s cybersecurity framework process, because we believe that it is constructive to let framework efforts play out fully before they are written into law."
The nation’s largest business federation also urged Congress to pass a cyber bill that includes "robust safeguards" for businesses that voluntarily exchange threat data with their peers and government partners. "Targeted and bi-directional information-sharing and mitigation efforts, along with appropriate liability protection, are the most effective tools that could be provided to increase cyber protections for companies and government entities. These tools can coexist with important protections for privacy and civil liberties," it said.
Sources: POWERnews, Committee on Commerce, Science, and Transportation, EEI, U.S. Chamber of Commerce
—Sonal Patel, Senior Writer (@POWERmagazine, @sonalcpatel)
NOTE: This story was originally published on July 30