Senate Committee Unveils Draft Cybersecurity Bill

July 17, 2013

pic-tech-worldLast year, the Senate failed to invoke cloture on a motion to close debate on the revised Cybersecurity Act of 2012 (S. 3414), which provided for a flexible and voluntary, incentives-based system to encourage owners and operators of the country’s most critical infrastructure systems to adopt some much-needed cybersecurity protections. In response, President Obama subsequently issued Executive Order 13636 – Improving Critical Infrastructure Cybersecurity, which addressed several issues concerning the federal government’s sharing of cybersecurity information with owners and operators of private sector critical infrastructure systems such as the dissemination of unclassified reports of cyber threats to targeted entities and the development of a cybersecurity framework that includes “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

Of particular interest to the small-business community is the provision included in Section 8(e) where, in consultation with the Federal Acquisition Regulatory Council, the Secretary of Defense and the Administrator of the General Services Administration are ordered to provide recommendations to the president (via the Assistant to the President for Homeland Security and the Assistant to the President for Economic Affairs) “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” It remains to be seen what type of requirements (or security standards) may be included in the acquisition process, or whether these new standards are applicable to just those businesses working on certain projects or if they apply to all government programs.

Executive Order 13636 primarily served as an information sharing and collection exercise and as a starting point for future legislation on the issue. Accordingly, earlier this month, the Senate Commerce, Science and Transportation Committee floated a bipartisan draft cybersecurity bill that, among other things, directs the National Institute of Standards and Technology (NIST) to develop a “voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure”; requires the drafting of a national cybersecurity research and development plan; focuses on cybersecurity education and workforce development; and the creation of a national cybersecurity awareness and preparedness campaign.

Addressing our nation’s cyber vulnerabilities is of particular interest to America’s small-business community, and NSBA looks forward to working with Members of Congress, their staffs and key stakeholders to ensure that we protect our nation’s digital networks and critical infrastructure and that any new legislation or policy includes language to provide support for small business cybersecurity efforts and does not place a disproportionate burden on small firms.