The House last week passed by voice vote legislation intended to give the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency more teeth in working with the public and private sector to tackle the most critical cyber vulnerabilities.
H.R. 3710, the Cybersecurity Vulnerability Remediation Act, sponsored by Rep. Sheila Jackson Lee (D-Texas), would amend the Homeland Security Act of 2002 to state that “the director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.”
CISA would have a year after enactment to submit to the Senate and House Homeland Security committees “a report on how the Agency carries out subsection (m) of section 2209 of the Homeland Security Act of 2002 to coordinate vulnerability disclosures, including disclosures of cybersecurity vulnerabilities (as such term is defined in such section), and subsection (n) of such section (as added by section 2) to disseminate actionable protocols to mitigate cybersecurity vulnerabilities.”
It would include “a description of the policies and procedures relating to the coordination of vulnerability disclosures, a description of the levels of activity in furtherance of such subsections (m) and (n) of such section 2209, any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in such section 2209) between the Department and industry and other stakeholders, any available information on the degree to which such information was acted upon by industry and other stakeholders, a description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures.”
The bill would also allow the DHS Under Secretary for Science and Technology and CISA to “establish an incentive-based program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities.”