Congress has baked a more-than-healthy layer of oversight into the new cybersecurity information-sharing law that is part of the massive spending and tax measure lawmakers are expected to pass on Friday.
Buried within the nearly 150 pages of legislation devoted to the Cybersecurity Act of 2015, there are more than 20 reports lawmakers are demanding from a host of different agencies and offices in the executive branch. The reports, which are due anywhere from three months to three years after the bill’s enactment, cover everything from the policies for handling Americans’ personal information through recording federal IT practices to measuring the planned enhancement of the U.S. civilian cyber workforce.
Although the bill defines deadlines for when the reports should be produced, policy veterans tell FedScoop they won’t be surprised if the reports are delayed or — in some cases — never even produced at all.
Here is a list of the all of the reports to expect as a result of the bill’s passage:
- A report from the attorney general and Homeland Security secretary that reviews the privacy and civil liberty protections associated with cyberthreat indicators shared with the government. This report will occur no less than once every two years.
- No later than one year after enactment, a report for Congress in which agency heads record the number of cyberthreat indicators collected, evaluate the effectiveness of sharing indicators, and the list of agencies or other entities that have collected the indicators.
- No more than two years after enactment and no less than once every two years after the first edition, federal inspector generals will conduct their own assessment of agency efforts, measuring if the program has been effective in both the public and private sector.
- No later than 180 days after enactment, the director of national intelligence will submit a report to the House and Senate intelligence committees on intelligence sharing cooperation with other countries, a list of countries that are cyberthreats to the U.S., how effectively the U.S. can protect the private sector from foreign cyberattacks and what technology would be needed to improve that posture.
- A report from a DHS Undersecretary to the House and Senate Homeland Security Committees on the capabilities within DHS to collect and share cyberthreat indicators using existing technology. This report will be produced annually until capabilities are fully implemented.
- No later than 180 days after enactment, the Homeland Security secretary is to issue a report to the House and Senate homeland committees on information sharing efforts with international partners.
- One year after disseminating how private sector companies are to share threats with the National Cybersecurity & Communications Integration Center, the Homeland Security secretary is to submit a report to the House and Senate homeland committees on ways to reduce cyberthreats to DHS data centers.
- Two years after enactment, the comptroller general is tasked with a report on how DHS has implemented the bill.
- One year after enactment, a DHS undersecretary is to submit a report to the House and Senate homeland committees on the risk assessment related to multiple, simultaneous cyber incidents.
- No later than 180 days after enactment, the undersecretary is to issue a report to the House and Senate transportation committee measuring the cybersecurity risk at the country’s 10 most vulnerable ports.
- Three years after the bill’s enactment, a report is to be issued from the comptroller general studying the security of federal IT systems.
- No later than six months after enactment, the Homeland Security secretary is to issue a report to Congress on the implementation of Einstein, DHS’s intrusion detection system, in federal agencies
- No later than 18 months after enactment, the director of the White House’s Office of Management and Budget is to submit a report to Congress on which computer networks are protected by DHS’ intrusion prevention system Einstein, how many times Einstein detected a vulnerability, and how many intrusions it stopped.
- No earlier than 18 months and no later than 24 months after enactment, the Federal CIO Council is to issue a report measuring the effectiveness of Einstein and the Continuous Diagnostics and Monitoring program.
- No later than 180 days after enactment, the director of national intelligence and OMB Director will issue a report on the risks that would come with a breach of unclassified federal systems and any added costs that would come with designating them a national security system.
- Three months after cybersecurity employment codes are created, heads of federal agencies are to submit reports to congress detailing the percentage of their IT workforce that holds cybersecurity accreditations, how trained and skillful their non-certified staff is, and how their agency plans to close their cyber workforce gap.
- No later than two years after enactment, the Office of Personnel Management and Homeland Security secretary will submit a report on what’s needed to enhance the federal IT workforce.
- One year after enactment, the Homeland Security secretary and director of the National Institute of Standards and Technology will report to Congress the results of a study focused on mobile security within the federal government
- An annual report from the secretary of State on the number of cybercriminals at large in other countries, the number of discussions held to thwart foreign criminals and which criminals were extradited to the U.S.
- One year after enactment, the director of the NCCIC, with consultation from the Commerce secretary and NIST director, will issue a report on reducing cybersecurity risks for first responders.
- Not later than one year after enactment, the secretary of Health and Human Services will submit to the House Commerce Committee and Senate Committee on Health, Education Labor & Pensions a report on responding cybersecurity threats within the health industry.
But just because these reports have been tucked into the bill doesn’t necessarily mean they will see the light of day.
Christian Beckner, the deputy director of the George Washington Center for Cyber & Homeland Security, said it’s going to be particularly tough for DHS to meet the report deadlines with all of the work that’s going to be required to meet the bill’s other policy requirements. However, he said that a number of the reports shouldn’t be too heavy a lift due to the work on the issue the department has done prior to the bill’s passage.
“In some cases, particularly with the procedures related to information sharing, those are things that have by and large already been worked out within the executive branch, so it’s more an issue of formalizing existing policies that are already in place,” Beckner told FedScoop.
Having worked for former Sen. Joseph Lieberman on the Senate Committee on Homeland Security and Governmental Affairs from 2007 to 2012, he said that as long as DHS communicates with Capitol Hill, there will be leeway on when these reports will be completed, if constructed at all.
“It’s one of those things that congressional staff will monitor closely through briefings and regular engagements, but it’s unlikely that all of those deadlines will be met,” he said. “As long as agencies seem to be making sufficient progress toward those issues and communicating with the Hill, by and large Congress will be okay if those deadlines slip a little bit.”