The Cybersecurity Act of 2015 Series: New Laws to Protect Government Systems

Posted by Shivan MehtaIn this third post describing the landmark Cybersecurity Act of 2015, we cover Title II of Act, known as the National Cybersecurity Advancement section. This section comprises of two portions: Subtitle A, the National Cybersecurity Protection Act of 2015, and Subtitle B, the Federal Cybersecurity Enhancement Act of 2015. The purpose of these Acts is to bolster cybersecurity protocols for the federal government.National Cybersecurity Protection Act of 2015 (“NCPAA”)The main goal of the NCPAA is to enhance the role of the National Cybersecurity and Communications Integration Center (“NCCIC”). The NCCIC is responsible for advancing the development and implementation of the Automated Indicator Sharing (AIS) platform. As explained in our prior post, the AIS platform will allow public and private entities to share cyber information, including both threat indicators and defensive measures. The NCPAA will require the NCCIC to collaborate with international partners to provide the government with a global understanding of current and future cyber threats.In addition,  the NCPAA requires DHS to report to different congressional committees on the following items:Feasibility of the AIS platform and cyber testing environment;The unique threat indicators and defensive measures;Feasibility of a risk-informed plan to address the most current cyber concerns; andCyber vulnerabilities for 10 U.S. ports that are at the greatest risk of attack.Federal Cybersecurity Enhancement Act of 2015 (“FCEA”)The FCEA focuses on the security and reliability of the federal government’s systems. The DHS must develop and implement a plan to proactively detect, identify, and remove cyber risks within network traffic from one agency system to another. This protocol applies to all federal agencies other than the Department of Defense or any national security system. Since 2003, DHS has used a protocol called EINSTEIN to monitor technology risks within federal agencies, however EINSTEIN was not widely used within all agencies. The FCEA provides for upgrades to the EINSTEIN platform and requires all federal agencies to participate.Under the FCEA, DHS must:Within one year, establish a platform that detects and prevents cyber risks within network traffic among all federal agencies;Provide metrics to the public on the government’s ability to mitigate cyber risks; andReport progress to congressional committees and the Office of Management & Budget.Both the NCPAA and FCEA advance the federal government’s efforts to control and prevent cyber risks throughout the nation.