Cybersecurity Legislation in the 113th and 114th Congresses
link to page 1 
March 1, 2017
Cybersecurity Legislation in the 113th and 114th Congresses
The legislative framework for cybersecurity is complex,
the Department of State to produce an international
with more than 50 federal laws affecting various aspects of
cyberspace policy and engage in international
it. Nevertheless, since the 111th Congress, more than 300
consultations on measures against cybercriminals, and
bills have been introduced that would address a range of
various federal agencies to report to Congress on
cybersecurity issues. Several that were enacted in the 113th
specified cybersecurity topics and activities.
and 114th Congresses are discussed below. Those bills
addressed five main topics:
The provisions summarized above are in the bills cited in
Table 1.
Protection of Federal Information Systems: updating
federal agency requirements to reflect changes in
Table 1. Cybersecurity Laws Enacted in 2014 and 2015
technology and the threat landscape, and establishing
Public Law
Title
Department of Homeland Security (DHS) authorities to
P.L. 113-246 Cybersecurity Workforce Assessment Act
protect federal systems.
P.L. 113-274 Cybersecurity Enhancement Act of 2014
Information Sharing: facilitating public- and private-
P.L. 113-277 Border Patrol Agent Pay Reform Act of 2014
sector sharing of information on cyberthreats and defensive
P.L. 113-282 National Cybersecurity Protection Act of 2014—
measures and permitting private-sector entities to monitor
NCPA
and operate defenses on their information systems.
P.L. 113-283 Federal Information Security Modernization Act
of 2014—FISMA 2014
Statutory Authorization of Ongoing Activities:
P.L. 114-113 Cybersecurity Act of 2015 (Division N)—CSA
Cybersecurity Information Sharing Act (Title I)—
DHS—the National Cybersecurity and Communications
CISA
Integration Center (NCCIC) and the intrusion-protection
National Cybersecurity Protection Advancement
system known as EINSTEIN.
Act of 2015 (Subtitle A of Title II)—NCPPA
National Institute of Standards and Technology
Federal Cybersecurity Enhancement Act of 2015
(NIST)—relating to the Framework for Improving
(Subtitle B of Title II)—FCEA
Critical Infrastructure (CI) Cybersecurity and the
Federal Cybersecurity Workforce Assessment
National Initiative for Cybersecurity Education (NICE).
Act of 2015 (Title III)
National Science Foundation (NSF)—the CyberCorps:
Other Cyber Matters (Title IV)
Scholarship-for-Service program to train new
cybersecurity professionals.
Source: CRS.
Research and Development (R&D): requiring a
The Cybersecurity Workforce Assessment Act required
multiagency strategic plan for cybersecurity R&D and
an assessment by DHS of its cybersecurity workforce and
specifying areas of research for NSF.
development of a workforce strategy. The Border Patrol
Agent Pay Reform Act of 2014 provided additional hiring
Federal Cybersecurity Workforce: requiring the Office of
and compensation authorities to DHS and required a DHS
Personnel Management (OPM) to establish and implement
assessment of workforce needs.
an employment-code structure for federal cybersecurity
personnel and improving the size, skills, and preparation of
The Cybersecurity Enhancement Act contained the
the DHS cybersecurity workforce, including recruitment.
provisions on R&D and on NIST and NSF program
authorizations described above.
Other Provisions required the following:
NCPA provided statutory authority for the DHS NCCIC,
DHS to develop and exercise incident-response plans for and specified both public- and private-sector members. The
cybersecurity risks to CI,
act gave NCCIC responsibility for sharing timely and
DHS and NIST to assist states in improving
actionable cybersecurity information, providing situational
cybersecurity for emergency response networks,
awareness and coordination of information across sectors,
the Department of Health and Human Services (HHS) to performing integration and analysis of risks and incidents,
assist the healthcare sector in reducing cybersecurity
providing technical assistance upon request, and making
risks,
recommendations for improving cybersecurity.
the Office of Management and Budget (OMB) to
establish procedures for notification and other responses
The act also requires DHS to develop and exercise incident-
to federal agency data breaches of personal information,
response plans for cybersecurity risks to CI and to provide
security clearances to appropriate representatives.
https://crsreports.congress.gov
Cybersecurity Legislation in the 113th and 114th Congresses
NCPA also has a provision on OMB data-breach
and rights, obligations for nonfederal entities to share
notification policies similar to that in FISMA 2014 (see
information with the federal government, liability for not
below).
sharing, otherwise legal disclosure in criminal prosecutions,
regulatory authority except as provided in the title, and the
FISMA 2014 updated the Federal Information Security
authority of the Secretary of Defense to respond to
Management Act (FISMA 2002). FISMA 2014 retains,
malicious cyber-activities by foreign powers. Provisions in
with some amendments, most provisions of the earlier law.
the title expire at the end of FY2025.
Notable changes include providing statutory authority to
DHS for overseeing operational cybersecurity of federal
NCPAA (Title II, Subtitle A) expands NCCIC
civilian information systems, as well as requiring agencies
responsibilities to include CISA implementation and other
to implement DHS-issued directives and to use DHS
information sharing responsibilities across CI sectors and
automated tools for cybersecurity protection.
internationally. It permits DHS to enter into voluntary
information-sharing agreements with nonfederal entities. It
It requires OMB to update periodically data-breach
also requires DHS to (1) support and develop automated
notification policies and guidelines for agencies, including
information-sharing mechanisms, (2) implement direct
notification of Congress and affected individuals.
reporting by the NCCIC to the Secretary of Homeland
Security of significant risks and incidents, (3) engage in
The four titles of the CSA address information sharing, the
public outreach on information sharing, and (4) regularly
security of federal systems, the federal cybersecurity
update and exercise the annex on cybersecurity of the DHS
workforce, international cybercrime and cyberspace policy,
National Response Framework. DHS may also implement
and cybersecurity in the healthcare and emergency services
ways to coordinate vulnerability disclosures. The act also
sectors, as well as other issues, and it includes a number of
specifies sharing cybersecurity information as a function of
reporting requirements.
Information Sharing and Analysis Organizations (ISAOs).
CISA (Title I) requires the Director of National Intelligence
FCEA (Title II, Subtitle B) provides statutory authorization
(DNI), the Secretaries of Homeland Security and Defense,
for the DHS EINSTEIN program, requires agency adoption
and the Attorney General (AG), in consultation with federal
of it and implementation of additional cybersecurity
agencies, to jointly establish procedures for sharing
measures. It also gives DHS authority, in the event of a
classified and unclassified cybersecurity information with
substantial threat to federal systems, to issue emergency
relevant federal and nonfederal entities.
directives for their protection, and, in the event of an
imminent threat, to use intrusion-protection capabilities.
It gives private entities the authority to monitor and defend
Agencies must identify sensitive and mission-critical data
their own systems, and others where authorized, and to
on their systems, make such data indecipherable to
voluntarily share threat information and defensive measures
unauthorized users, assess access needs and controls, and
with each other and the federal government, with
implement identity management.
protections for security, privacy, nondisclosure, and
correction of errors. Covered activities are exempted from
The Federal Cybersecurity Workforce Assessment Act
antitrust laws, and entities performing them are protected
(Title III) requires OPM to develop personnel codes for
from liability. However, the act also specifies actions that
federal cybersecurity positions, and agencies must apply
are not permitted under the antitrust exemption.
those codes as appropriate.
As required by CISA, DHS and the Department of Justice
Other Cyber Matters (Title IV)—The Department of State
(DOJ) issued procedures and guidelines for sharing
produced a required comprehensive international strategy
between federal and nonfederal entities, with protection of
for U.S. cyberspace policy under this title. It also requires
privacy and civil liberties, and prevention of unauthorized
the agency to consult with countries that have
disclosure. DHS, which the act named as the main federal
cybercriminals who are not likely to be extradited to the
portal for information sharing, established a process within
United States, to determine what crime-fighting actions the
the department for receiving and sharing information.
countries have taken against such criminals. It requires
Receipt of information must be through that process except
DHS to establish processes to enhance cybersecurity and
for regulatory and law enforcement purposes. The President
information sharing among state emergency responders and
may subsequently establish an additional process if needed.
to develop best practices for reducing cybersecurity risks to
them. HHS created a required public/private taskforce to
Government entities may use shared information for
improve cybersecurity in the healthcare sector. The title
specified purposes relating to cybersecurity, prevention of
also requires HHS to collaborate with other federal and
serious personal or economic harm, and law enforcement,
sector entities to develop guidelines for reducing risks.
but not for regulatory purposes except as related to
Another provision extended criminal penalties for fraud
prevention or mitigation of cyberthreats. CISA supersedes
against a U.S. entity involving devices used to access
nonfederal laws on authorized activities, except for law
financial accounts to such uses occurring outside U.S.
enforcement. It limits the effect of its provisions on
territory.
otherwise lawful disclosures, whistleblower protections,
protection of sources and methods, other law on
Eric A. Fischer, Senior Specialist in Science and
information shared with the federal government, other
Technology
information sharing relationships, contractual obligations
https://crsreports.congress.gov
Cybersecurity Legislation in the 113th and 114th Congresses
IF10610
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10610 · VERSION 2 · NEW
March 1, 2017
Cybersecurity Legislation in the 113th and 114th Congresses
The legislative framework for cybersecurity is complex,
the Department of State to produce an international
with more than 50 federal laws affecting various aspects of
cyberspace policy and engage in international
it. Nevertheless, since the 111th Congress, more than 300
consultations on measures against cybercriminals, and
bills have been introduced that would address a range of
various federal agencies to report to Congress on
cybersecurity issues. Several that were enacted in the 113th
specified cybersecurity topics and activities.
and 114th Congresses are discussed below. Those bills
addressed five main topics:
The provisions summarized above are in the bills cited in
Table 1.
Protection of Federal Information Systems: updating
federal agency requirements to reflect changes in
Table 1. Cybersecurity Laws Enacted in 2014 and 2015
technology and the threat landscape, and establishing
Public Law
Title
Department of Homeland Security (DHS) authorities to
P.L. 113-246 Cybersecurity Workforce Assessment Act
protect federal systems.
P.L. 113-274 Cybersecurity Enhancement Act of 2014
Information Sharing: facilitating public- and private-
P.L. 113-277 Border Patrol Agent Pay Reform Act of 2014
sector sharing of information on cyberthreats and defensive
P.L. 113-282 National Cybersecurity Protection Act of 2014—
measures and permitting private-sector entities to monitor
NCPA
and operate defenses on their information systems.
P.L. 113-283 Federal Information Security Modernization Act
of 2014—FISMA 2014
Statutory Authorization of Ongoing Activities:
P.L. 114-113 Cybersecurity Act of 2015 (Division N)—CSA
Cybersecurity Information Sharing Act (Title I)—
DHS—the National Cybersecurity and Communications
CISA
Integration Center (NCCIC) and the intrusion-protection
National Cybersecurity Protection Advancement
system known as EINSTEIN.
Act of 2015 (Subtitle A of Title II)—NCPPA
National Institute of Standards and Technology
Federal Cybersecurity Enhancement Act of 2015
(NIST)—relating to the Framework for Improving
(Subtitle B of Title II)—FCEA
Critical Infrastructure (CI) Cybersecurity and the
Federal Cybersecurity Workforce Assessment
National Initiative for Cybersecurity Education (NICE).
Act of 2015 (Title III)
National Science Foundation (NSF)—the CyberCorps:
Other Cyber Matters (Title IV)
Scholarship-for-Service program to train new
cybersecurity professionals.
Source: CRS.
Research and Development (R&D): requiring a
The Cybersecurity Workforce Assessment Act required
multiagency strategic plan for cybersecurity R&D and
an assessment by DHS of its cybersecurity workforce and
specifying areas of research for NSF.
development of a workforce strategy. The Border Patrol
Agent Pay Reform Act of 2014 provided additional hiring
Federal Cybersecurity Workforce: requiring the Office of
and compensation authorities to DHS and required a DHS
Personnel Management (OPM) to establish and implement
assessment of workforce needs.
an employment-code structure for federal cybersecurity
personnel and improving the size, skills, and preparation of
The Cybersecurity Enhancement Act contained the
the DHS cybersecurity workforce, including recruitment.
provisions on R&D and on NIST and NSF program
authorizations described above.
Other Provisions required the following:
NCPA provided statutory authority for the DHS NCCIC,
DHS to develop and exercise incident-response plans for and specified both public- and private-sector members. The
cybersecurity risks to CI,
act gave NCCIC responsibility for sharing timely and
DHS and NIST to assist states in improving
actionable cybersecurity information, providing situational
cybersecurity for emergency response networks,
awareness and coordination of information across sectors,
the Department of Health and Human Services (HHS) to performing integration and analysis of risks and incidents,
assist the healthcare sector in reducing cybersecurity
providing technical assistance upon request, and making
risks,
recommendations for improving cybersecurity.
the Office of Management and Budget (OMB) to
establish procedures for notification and other responses
The act also requires DHS to develop and exercise incident-
to federal agency data breaches of personal information,
response plans for cybersecurity risks to CI and to provide
security clearances to appropriate representatives.
https://crsreports.congress.gov
Cybersecurity Legislation in the 113th and 114th Congresses
NCPA also has a provision on OMB data-breach
and rights, obligations for nonfederal entities to share
notification policies similar to that in FISMA 2014 (see
information with the federal government, liability for not
below).
sharing, otherwise legal disclosure in criminal prosecutions,
regulatory authority except as provided in the title, and the
FISMA 2014 updated the Federal Information Security
authority of the Secretary of Defense to respond to
Management Act (FISMA 2002). FISMA 2014 retains,
malicious cyber-activities by foreign powers. Provisions in
with some amendments, most provisions of the earlier law.
the title expire at the end of FY2025.
Notable changes include providing statutory authority to
DHS for overseeing operational cybersecurity of federal
NCPAA (Title II, Subtitle A) expands NCCIC
civilian information systems, as well as requiring agencies
responsibilities to include CISA implementation and other
to implement DHS-issued directives and to use DHS
information sharing responsibilities across CI sectors and
automated tools for cybersecurity protection.
internationally. It permits DHS to enter into voluntary
information-sharing agreements with nonfederal entities. It
It requires OMB to update periodically data-breach
also requires DHS to (1) support and develop automated
notification policies and guidelines for agencies, including
information-sharing mechanisms, (2) implement direct
notification of Congress and affected individuals.
reporting by the NCCIC to the Secretary of Homeland
Security of significant risks and incidents, (3) engage in
The four titles of the CSA address information sharing, the
public outreach on information sharing, and (4) regularly
security of federal systems, the federal cybersecurity
update and exercise the annex on cybersecurity of the DHS
workforce, international cybercrime and cyberspace policy,
National Response Framework. DHS may also implement
and cybersecurity in the healthcare and emergency services
ways to coordinate vulnerability disclosures. The act also
sectors, as well as other issues, and it includes a number of
specifies sharing cybersecurity information as a function of
reporting requirements.
Information Sharing and Analysis Organizations (ISAOs).
CISA (Title I) requires the Director of National Intelligence
FCEA (Title II, Subtitle B) provides statutory authorization
(DNI), the Secretaries of Homeland Security and Defense,
for the DHS EINSTEIN program, requires agency adoption
and the Attorney General (AG), in consultation with federal
of it and implementation of additional cybersecurity
agencies, to jointly establish procedures for sharing
measures. It also gives DHS authority, in the event of a
classified and unclassified cybersecurity information with
substantial threat to federal systems, to issue emergency
relevant federal and nonfederal entities.
directives for their protection, and, in the event of an
imminent threat, to use intrusion-protection capabilities.
It gives private entities the authority to monitor and defend
Agencies must identify sensitive and mission-critical data
their own systems, and others where authorized, and to
on their systems, make such data indecipherable to
voluntarily share threat information and defensive measures
unauthorized users, assess access needs and controls, and
with each other and the federal government, with
implement identity management.
protections for security, privacy, nondisclosure, and
correction of errors. Covered activities are exempted from
The Federal Cybersecurity Workforce Assessment Act
antitrust laws, and entities performing them are protected
(Title III) requires OPM to develop personnel codes for
from liability. However, the act also specifies actions that
federal cybersecurity positions, and agencies must apply
are not permitted under the antitrust exemption.
those codes as appropriate.
As required by CISA, DHS and the Department of Justice
Other Cyber Matters (Title IV)—The Department of State
(DOJ) issued procedures and guidelines for sharing
produced a required comprehensive international strategy
between federal and nonfederal entities, with protection of
for U.S. cyberspace policy under this title. It also requires
privacy and civil liberties, and prevention of unauthorized
the agency to consult with countries that have
disclosure. DHS, which the act named as the main federal
cybercriminals who are not likely to be extradited to the
portal for information sharing, established a process within
United States, to determine what crime-fighting actions the
the department for receiving and sharing information.
countries have taken against such criminals. It requires
Receipt of information must be through that process except
DHS to establish processes to enhance cybersecurity and
for regulatory and law enforcement purposes. The President
information sharing among state emergency responders and
may subsequently establish an additional process if needed.
to develop best practices for reducing cybersecurity risks to
them. HHS created a required public/private taskforce to
Government entities may use shared information for
improve cybersecurity in the healthcare sector. The title
specified purposes relating to cybersecurity, prevention of
also requires HHS to collaborate with other federal and
serious personal or economic harm, and law enforcement,
sector entities to develop guidelines for reducing risks.
but not for regulatory purposes except as related to
Another provision extended criminal penalties for fraud
prevention or mitigation of cyberthreats. CISA supersedes
against a U.S. entity involving devices used to access
nonfederal laws on authorized activities, except for law
financial accounts to such uses occurring outside U.S.
enforcement. It limits the effect of its provisions on
territory.
otherwise lawful disclosures, whistleblower protections,
protection of sources and methods, other law on
Eric A. Fischer, Senior Specialist in Science and
information shared with the federal government, other
Technology
information sharing relationships, contractual obligations
https://crsreports.congress.gov
Cybersecurity Legislation in the 113th and 114th Congresses
IF10610
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10610 · VERSION 2 · NEW