Key Committee Approves the Federal Cybersecurity Enhancement Act of 2015
Carper, Johnson bill would strengthen federal agencies' cyber defenses
WASHINGTON — Today, the Senate Homeland Security and Governmental Affairs Committee approved legislation that would provide federal agencies with stronger tools to protect their critical networks and Americans’ sensitive information. The Federal Cybersecurity Enhancement Act of 2015 (S.1869), introduced by Ranking Member Tom Carper (D-Del.) and Chairman Ron Johnson (R-Wis.), would require that all federal agencies implement stronger protections and state-of-the-art technologies to defend against cyberattacks. It would also accelerate the deployment and adoption of the Department of Homeland Security’s federal cybersecurity program known as EINSTEIN. The bill was approved as amended unanimously.
Sen. Carper: “We know that with each passing day, and for the foreseeable future, our federal agencies will continue to come under a cascade of attacks in cyber space, as will our businesses and critical infrastructure. Congress needs to make bolstering our cyber defenses – and staying ahead of this evolving threat – a top priority. Today, our committee continued to make real progress on this incredibly important issue by coming together, through a collaborative and transparent process, to advance legislation that will bolster our federal agencies’ cyber defenses. I thank Chairman Johnson for his partnership in moving this bill forward and look forward to working on this bipartisan legislation with the rest of our Senate colleagues so that we can ensure every agency is equipped with the ever-improving capabilities needed to fend off future cyber attacks.”
Sen. Johnson: “The U.S. government’s computer networks are under attack. Hacktivists, organized crime syndicates and nation-states have successfully launched electronic assaults against vulnerable government networks, some of which house millions of Americans’ personal and private information. Senator Carper and I are pleased the Federal Cybersecurity Enhancement Act, to accelerate deployment of a federal intrusion detection and prevention system that will improve the government’s cyber defense capabilities, passed unanimously out of our committee today. This act will require agencies to adopt best practices in cybersecurity. Had the powers of this bill been implemented already, they likely would have stopped the hack of the Office of Personnel Management. With this act in place, it will become far more difficult for our adversaries to steal our private data and to penetrate government networks.”
The Federal Cybersecurity Enhancement Act of 2015 would mandate the deployment of cybersecurity best practices at agencies — measures such as intrusion assessments, strong authentication, encryption of sensitive data and appropriate access controls. The bill would also authorize EINSTEIN, an intrusion detection and prevention system intended to screen federal agencies’ Internet traffic for potential cyber threats. Despite being 10 years in the making, the capability is not available to all agencies, and more than half of federal agencies have yet to deploy the full EINSTEIN system. Currently only 45 percent of federal agencies are using the program’s intrusion prevention capabilities. This bill would dramatically accelerate deployment and adoption of EINSTEIN, and it includes reporting requirements to increase program accountability.
During today’s business meeting, the following amendments were added to the bill:
• Sen. Ayotte-McCaskill Amd. #1: As modified, this amendment would require the Secretary of the Department of Homeland Security (DHS) to ensure that several privacy and transparency measures are incorporated into the EINSTEIN system.
• Sen. Ayotte-McCaskill-Johnson-Carper Amd. #2: As modified, this amendment would grant DHS additional tools to help improve cybersecurity across government and require a report from the Office of Management and Budget.
• Sen. Paul Amd. #1: This amendment would clarify that the liability protection in the bill would not provide protection to an internet service provider who breaks a user agreement with its customers.
• Sen. Paul Amd. #6: As modified, this amendment would require DHS to report on whether private information is retained under the EINSTEIN bill when it is not related to a cyber threat.
• Sen. Sasse Amd. #1: As modified, this amendment would require an assessment and report to identify all unclassified information on government networks that, when combined with other unclassified information, could produce a piece of classified information.
• Sen. Sasse Amd. #2: As modified, this amendment would require an assessment and report to Congress on the damage to national security caused by the data breach at the Office of Personnel Management (OPM).