Republican leaders on the House Energy and Commerce Committee introduced three pieces of new legislation last week that would direct Federal agencies with expertise over discrete industry sectors to take on larger roles in expanding cyber protections for those sectors.
The sectors covered by the new bills include electricity infrastructure and the healthcare sector. One aim of the bills, said Rep. Cathy McMorris Rodgers, R-Wash., is to get away from a Federal-level “one size fits all” approach to cybersecurity oversight and regulation.
The three new bills are the Critical Electric Infrastructure Cybersecurity Incident Reporting Act of 2022, the Ensuring Cybersecurity at the National Institutes of Health (NIH) Act, and the Department of Health and Human Services (HHS) Cybersecurity Coordination Act.
The Critical Electric Infrastructure Cybersecurity Incident Reporting Act of 2022 – introduced by Reps. Cathy McMorris Rodgers, R-Wash., and Fred Upton, R-Mich. – adds a 24-hour cyber incident reporting requirement to the Department of Energy’s (DoE) existing critical infrastructure protection framework.
It also directs the DoE to develop rules to add additional clarity on the scope and scale of cybersecurity incidents that require reporting, and to develop procedures for reporting a potential cybersecurity incident.
“Our technology, healthcare, and energy infrastructure security require the vigilance of experts across the federal government to ensure Americans are safe. Energy and Commerce Republicans are warning of the dangers of moving to a one-size-fits-all federal approach, which will weaken agencies’ ability to leverage their expertise in cybersecurity preparedness and defense in their specific, unique sectors,” said Rep. Rodgers in a press release.
The Ensuring Cybersecurity at the NIH Act – introduced by Rep. Morgan Griffith, R-Va. – requires the NIH director to implement cybersecurity protections, including developing a risk management strategy for cybersecurity systems, developing and documenting system security plans, and fully documenting and reviewing policies and procedures.
In addition, this legislation requires identifying and providing information security protections equal to the risk and magnitude of the harm that could result from unauthorized access, use, disclosure, or destruction of the information collected by the NIH.
“The National Institutes of Health has left itself vulnerable to malicious cyber-attacks due to deficiencies in its information systems. My bill would require NIH’s director to implement necessary cybersecurity protections. Federal agencies like NIH must not leave the door open to bad actors that can disrupt important work being done on behalf of the American people,” said Rep. Griffith.
The Department of Health and Human Services (HHS) Cybersecurity Coordination Act – introduced by Rep. Brett Guthrie, R-Ky. – requires the HHS secretary to increase monitoring, evaluation, and reporting on the progress and performance of various cybersecurity working groups within HHS.
“With patient care and privacy on the line, more Federal leadership is needed to ensure health care providers can respond appropriately to sophisticated cyberattacks,” said Rep. Guthrie. “This bill would improve [HHS’] collaboration on cybersecurity threats and enhance their real-time information sharing with health care providers on active cyber threats.”
This bill, according to Rep. Guthrie, would advance patient safety and privacy by requiring HHS to act on cybersecurity recommendations made by the U.S. Government Accountability Office.