The Biden administration's efforts to enhance U.S. cybersecurity have resulted in its signing two bills into law last June 21. One is to allow experts in cybersecurity and IT-related fields to work across multiple agencies. The other, to allow collaboration between the Department of Homeland Security (DHS) and multiple levels of government in strengthening cybersecurity.
A shared cyber workforce
Let's talk first about the Public Law 117-149, known as the Federal Rotational Cyber Workforce Program Act of 2021. This one lays out the conditions under which the cyber workforce may rotate from one agency to another. It is worth noting that this law refers not only to professionals in cybersecurity, but also in other IT positions. Further, "agency" denotes executive branch departments (e.g., the Department of Defense), government corporations (e.g., the Export-Import Bank of the United States) and independent establishments (i.e., independent of presidential control; e.g., the Central Intelligence Agency).
It is the responsibility of the head of each agency to determine which cyber workforce position is eligible for rotation. Further, they need to provide notice of this decision to the Director of the Office of Personnel Management. The latter will create the list with the positions providing all the details about each of them, which include the major duties and functions.
Within the following 270 days, the Federal Rotational Cyber Workforce Program operation plan is to be issued. This plan is to contain policies, processes and procedures for the detailing of employees among rotational cyber workforce positions at agencies.
The procedures should include training, education or career development requirements. Also, the employees that participate in the program must have applied to it voluntarily. They will be in their position at the other agency for a period of at least 180 days and up to one year, but it may be extended to 60 more days.
When an employee is rotating, they are vacating their post at the agency they work for. That's why agencies are encouraged to partner so that there's someone to fill the vacated position at any given time. Upon the end of the period of service, the first one is entitled to return to their position, or one equivalent, at the agency without negative consequences (i.e., loss of pay, seniority or benefits).
DHS coordination across multiple levels of government
The other new legislation is Public Law 117-150, which is known as the State and Local Government Cybersecurity Act of 2021. It amends Public Law 107-296, aka, the Homeland Security Act of 2002.
The new law adds a definition of an SLTT entity. Namely, a domestic government entity that is a state, local, tribal or territorial government or any subdivision thereof. This was necessary, of course, to identify the kinds of entities that will benefit from shared cybersecurity expertise and resources.
The most substantial addition of the new law is how exactly the national cybersecurity and communications integration center (henceforth, "Center") will begin to coordinate cybersecurity in SLTT governments.
The Center is part of the DHS and has the following among its functions:
It shares information about cybersecurity risks and defensive measures, among other things, for federal and non-federal entities.
It provides situational awareness so that the aforementioned entities perform real-time, integrated and operational actions to address risks and incidents.
It coordinates the sharing of cyber threat indicators, as well as incidents, risks and measures across the Federal Government.
It facilitates the above across sectors (e.g., energy, food and agriculture, IT) when more than one of them could be compromised.
It provides, upon request, prompt technical assistance, risk management support and incident response capabilities, helping with attribution, mitigation and remediation.
It gives advice on strengthening IT systems against risks.
It engages with partners abroad to collaborate on achieving the above and enhancing global cybersecurity.
It identifies and receives information about security vulnerabilities in IT systems.
It reports cases of ransom payments and analyzes reports of cyber incidents.
With the new law, the Center now has the function to provide operational and technical cybersecurity training to SLTT entities. Its help will enable SLTT governments to tackle risks more effectively, especially from a preventive stance.
Accordingly, the Center will now have direct communication with these entities so they become more aware of risks. For example, it will notify them of malware that may affect IT systems of organizations or residents. And it will also promote SLTT entities' education in cybersecurity.
Moreover, the Center will keep entities up to date on information about tools and products, resources, cybersecurity standards and best practices, policies, guidelines and controls. It will also assist them in implementing these tools, etc., and developing policies and procedures for disclosing vulnerabilities responsibly.
What's so great about these new laws?
It is plain to see that the new laws will help overcome barriers to access to cybersecurity expertise and resources. They will allow even tribal and territorial governments to make use of services offered by highly qualified personnel. This proves more important than ever, with cyberattacks to government agencies on the rise. These laws, along with last year's law of $1 billion in funding for cybersecurity on SLTT entities make for a promising strategy in lifting up cybersecurity readiness in all levels of government.
Caution: Many details from the two new laws are missing in this blog post. Having read this post in no way substitutes for careful reading of the two public laws. For a thorough understanding, we recommend that you read the full texts.
Recommended blog posts
You might be interested in the following related posts.
Definition, implementation, importance and alternatives
Keep tabs on this proposal from the Biden-Harris Admin
Vulnerability scanning and pentesting for a safer web
Definitions, classifications and pros and cons
Is your security testing covering the right risks?
How this process works and what benefits come with it
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting