Two New Laws for U.S. Cybersecurity
The Biden administration’s efforts to enhance U.S. cybersecurity
have resulted in its signing two bills into law last June 21.
One is to allow experts in cybersecurity
and IT-related fields
to work across multiple agencies.
The other,
to allow collaboration
between the Department of Homeland Security (DHS)
and multiple levels of government in strengthening cybersecurity.
A shared cyber workforce
Let’s talk first about the Public Law 117-149,
known as the Federal Rotational Cyber Workforce Program Act of 2021.
This one lays out the conditions
under which the cyber workforce may rotate from one agency to another.
It is worth noting that this law refers not only to professionals
in cybersecurity,
but also in other IT positions.
Further,
“agency” denotes executive branch departments
(e.g., the Department of Defense),
government corporations
(e.g., the Export-Import Bank of the United States)
and independent establishments
(i.e., independent of presidential control;
e.g., the Central Intelligence Agency).
It is the responsibility of the head of each agency to determine
which cyber workforce position is eligible for rotation.
Further,
they need to provide notice of this decision
to the Director of the Office of Personnel Management.
The latter will create the list with the positions
providing all the details about each of them,
which include the major duties and functions.
Within the following 270 days,
the Federal Rotational Cyber Workforce Program operation plan is to be issued.
This plan is to contain policies,
processes and procedures
for the detailing of employees
among rotational cyber workforce positions at agencies.
The procedures should include training,
education
or career development requirements.
Also,
the employees
that participate in the program
must have applied to it voluntarily.
They will be in their position at the other agency
for a period of at least 180 days and up to one year,
but it may be extended to 60 more days.
When an employee is rotating,
they are vacating their post at the agency they work for.
That’s why agencies are encouraged to partner
so that there’s someone to fill the vacated position at any given time.
Upon the end of the period of service,
the first one is entitled to return to their position,
or one equivalent,
at the agency without negative consequences
(i.e., loss of pay, seniority or benefits).
DHS coordination across multiple levels of government
The other new legislation is Public Law 117-150,
which is known as the State and Local Government Cybersecurity Act of 2021.
It amends Public Law 107-296,
aka,
the Homeland Security Act of 2002.
The new law adds a definition of an SLTT entity.
Namely,
a domestic government entity
that is a state,
local,
tribal
or territorial government
or any subdivision thereof.
This was necessary,
of course,
to identify the kinds of entities
that will benefit from shared cybersecurity expertise and resources.
The most substantial addition of the new law is
how exactly the national cybersecurity and communications integration center
(henceforth, “Center”)
will begin to coordinate cybersecurity in SLTT governments.
The Center is part of the DHS
and has the following among its functions:
-
It shares information about cybersecurity risks
and defensive measures,
among other things,
for federal and non-federal entities. -
It provides situational awareness
so that the aforementioned entities perform real-time,
integrated
and operational actions
to address risks and incidents. -
It coordinates the sharing of cyber threat indicators,
as well as incidents,
risks
and measures across the Federal Government. -
It facilitates the above across sectors
(e.g., energy, food and agriculture, IT)
when more than one of them could be compromised. -
It provides,
upon request,
prompt technical assistance,
risk management support
and incident response capabilities,
helping with attribution,
mitigation
and remediation. -
It gives advice on strengthening IT systems against risks.
-
It engages with partners abroad
to collaborate on achieving the above
and enhancing global cybersecurity. -
It identifies and receives information
about security vulnerabilities in IT systems. -
It reports cases of ransom payments
and analyzes reports of cyber incidents.
With the new law,
the Center now has the function
to provide operational
and technical cybersecurity training
to SLTT entities.
Its help will enable SLTT governments
to tackle risks more effectively,
especially from a preventive stance.
Accordingly,
the Center will now have direct communication with these entities
so they become more aware of risks.
For example,
it will notify them of malware
that may affect IT systems of organizations or residents.
And it will also promote SLTT entities’
education in cybersecurity.
Moreover,
the Center will keep entities up to date
on information about tools and products,
resources,
cybersecurity standards and best practices,
policies,
guidelines
and controls.
It will also assist them in implementing these tools,
etc.,
and developing policies
and procedures for disclosing vulnerabilities responsibly.
What’s so great about these new laws?
It is plain to see
that the new laws will help overcome barriers
to access to cybersecurity expertise and resources.
They will allow even tribal and territorial governments
to make use of services offered by highly qualified personnel.
This proves more important than ever,
with cyberattacks to government agencies on the rise.
These laws,
along with last year’s law of $1 billion in funding
for cybersecurity on SLTT entities
make for a promising strategy
in lifting up cybersecurity readiness in all levels of government.
Caution:
Many details from the two new laws are missing in this blog post.
Having read this post in no way substitutes
for careful reading of the two public laws.
For a thorough understanding,
we recommend that you read the full texts.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/two-new-us-cybersecurity-laws/
