Tuesday, the Department of Homeland Security (DHS) Cybersecurity Strategy Act of 2015 (HR 3510) passed the House of Representatives which would direct the Secretary of the Department of Homeland Security to develop a departmental strategy to carry out cybersecurity responsibilities as set forth in law.
Authored by Rep.Cedric Richmond (D-La.) ranking member of the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee, said following passage of the legislation that, “Protecting our nation’s critical infrastructure from cyber-attacks is one of the biggest challenges we face today.”
“We must develop a thoughtful and comprehensive plan in order to resolve vulnerabilities and avoid future attacks,” he stated, adding that, “As evidenced by breaches at the Office of Personnel Management, Anthem and Sony, our current level of cybersecurity must be raised.”
“An important part of improving our nation’s cybersecurity is making sure that the Department of Homeland Security is able to defend our nation and its people from cyber attacks. We must be sure that the DHS has a ample strategy to carry out its mission in the face of ever-changing threats,” Richmond said.
He concluded, saying, “This legislation is proof that there is bipartisan support for finding effective solutions to this issue, and that we are not content to leave security to improvisation. I look forward to continuing to work with my colleagues in Congress and partners at DHS to ensure the best possible protection from any potential threats.”
The Department of Homeland Security Cybersecurity Strategy Act of 2015 would require that no later than 60 days after the date of the enactment of the legislation that the DHS secretary “shall develop a departmental strategy to carry out cybersecurity responsibilities as set forth in law.”
The strategy required by the bill shall include the following:
- Strategic and operational goals and priorities to successfully execute the full range of the secretary’s cybersecurity responsibilities; and
- Information on the programs, policies and activities that are required to successfully execute the full range of the secretary’s cybersecurity responsibilities, including programs, policies and activities in furtherance of the following:
- Cybersecurity functions set forth in the second section 226 (relating to the national cybersecurity and communications integration center);
- Cybersecurity investigations capabilities;
- Cybersecurity research and development; and
- Engagement with international cybersecurity partners.
In addition, the bill would require “developing the strategy required under subsection (a) in which the DHS secretary shall consider:
- The cybersecurity strategy for the Homeland Security Enterprise published by the Secretary in November 2011;
- The Department of Homeland Security Fiscal Years 2014-2018 Strategic Plan; and
- The most recent Quadrennial Homeland Security Review issued pursuant to section 707; and
- Include information on the roles and responsibilities of components and offices of DHS, to the extent practicable, to carry out such strategy.
Furthermore, “Not later than 90 days after the development of the strategy required under subsection (a), the DHS secretary shall issue an implementation plan for the strategy that includes the following:
- Strategic objectives and corresponding tasks;
- Projected timelines and costs for such tasks; and
- Metrics to evaluate performance of such tasks.
With regard to Congressional oversight, the DHS secretary shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate for assessment the following:
- A copy of the strategy required under subsection (a) upon issuance;
- A copy of the implementation plan required under subsection (d) upon issuance, togetherwith detailed information on any associated legislative or budgetary proposals;
- Prohibition on Reorganization- In the event that the strategy required under subsection (a) or implementation plan required under subsection (d) includes actions to reorganize departmental components or offices, such actions may not be executed without prior congressional authorization; and
- Classified Information – The strategy required under subsection (a) shall be in an unclassified form but may contain a classified annex.