Highlights from proposed cybersecurity bill

Journal visible.frylock's Journal: Highlights from proposed cybersecurity bill 2

Journal by visible.frylock on Friday April 03, 2009 @09:53PM

This entry is in response to recent story about the tentative Cybersecurity Act of 2009 (PDF). Rather than having it buried below all the comments, I thought I'd just put it here.

There really is quite a bit in this, related to both freedom as well as more practical security aspects. It includes security standards, exploit defenition languages, security professional licensing, DNSSEC, IANA, government software acquisition, and of course the President's shutdown authority which everyone has been commenting about. You should really read the bill for yourself.

NIST and security responsibilities (pg 17) In section 6, NIST is given responsibility to develop security metrics, measuring the risk from a "prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities" (including embedded, or so they say). Section 6 goes on:

(4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE The Institute shall, establish standard computer-readable language for completely speci- fying the configuration of software on computer sys- tems widely used in the Federal government, by gov- ernment contractors and grantees, and in private sector owned critical infrastructure information sys- tems and networks. (5) STANDARD SOFTWARE CONFIGURATION The Institute shall establish standard configurations consisting of security settings for operating system software and software utilities widely used in the Federal government, by government contractors and grantees, and in private sector owned critical infra- structure information systems and networks. (6) VULNERABILITY SPECIFICATION LANGUAGE The Institute shall establish standard com- puter-readable language for specifying vulnerabilities in software to enable software vendors to commu- nicate vulnerability data to software users in real time. (7) NATIONAL COMPLIANCE STANDARDS FOR ALL SOFTWARE (A) Protocol.?The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal govern- ment, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks [......]

Licensing for security professionals contracting to the federal government (pg 21)

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS. (a) IN GENERAL Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cy- bersecurity professionals. (b) MANDATORY LICENSING Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a pro- vider of cybersecurity services to any Federal agency or an information system or network designated by the Presi- dent, or the President?s designee, as a critical infrastruc- ture information system or network, who is not licensed and certified under the program.

IANA (pg 22)

SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS. (a) IN GENERAL No action by the Assistant Sec- retary of Commerce for Communications and Information after the date of enactment of this Act with respect to the renewal or modification of a contract related to the operation of the Internet Assigned Numbers Authority, shall be final until the Advisory Panel? (1) has reviewed the action; (2) considered the commercial and national se- curity implications of the action; and (3) approved the action. [......]

DNSSEC (pg 23)

SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. (a) IN GENERAL Within 3 years after the date of enactment of this Act, the Assistant Secretary of Com- merce for Communications and Information shall develop a strategy to implement a secure domain name addressing system. [......]

PUBLIC-PRIVATE CLEARINGHOUSE (pg 39)

SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE. (a) DESIGNATION The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal government and private sector owned critical infrastructure information systems and networks. (b) FUNCTIONS The Secretary of Commerce (1) shall have access to all relevant data con- cerning such networks without regard to any provi- sion of law, regulation, rule, or policy restricting such access; [....]

President's authority (pg 43)

SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY. The President (1) within 1 year after the date of enactment of this Act, shall develop and implement a com- prehensive national cybersecurity strategy, which shall include [....] (2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network; [....]

(Non) Definition of critical infrastructure network (pg 50)

(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS The term Federal gov- ernment and United States critical infrastructure in- formation systems and networks includes (A) Federal Government information sys- tems and networks; and (B) State, local, and nongovernmental in- formation systems and networks in the United States designated by the President as critical infrastructure information systems and net- works.

FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD (pg 49)

SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD. (a) ESTABLISHMENT There is established a Secure Products and Services Acquisitions Board. The Board shall be responsible for cybersecurity review and approval of high value products and services acquisition and, in co- ordination with the National Institute of Standards and Technology, for the establishment of appropriate stand- ards for the validation of software to be acquired by the Federal government. [.....]

This discussion has been archived. No new comments can be posted.