[Congressional Record Volume 164, Number 146 (Tuesday, September 4, 2018)]
[House]
[Pages H7793-H7796]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
ADVANCING CYBERSECURITY DIAGNOSTICS AND MITIGATION ACT
Mr. RATCLIFFE. Mr. Speaker, I move to suspend the rules and pass the
bill (H.R. 6443) to amend the Homeland Security Act of 2002 to
authorize the Secretary of Homeland Security to establish a continuous
diagnostics and mitigation program at the Department of Homeland
Security, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 6443
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Advancing Cybersecurity
Diagnostics and Mitigation Act''.
SEC. 2. ESTABLISHMENT OF CONTINUOUS DIAGNOSTICS AND
MITIGATION PROGRAM IN DEPARTMENT OF HOMELAND
SECURITY.
(a) In General.--Section 230 of the Homeland Security Act
of 2002 (6 U.S.C. 151) is amended by adding at the end the
following new subsection:
``(g) Continuous Diagnostics and Mitigation.--
``(1) Program.--
``(A) In general.--The Secretary shall deploy, operate, and
maintain a continuous diagnostics and mitigation program.
Under such program, the Secretary shall--
``(i) develop and provide the capability to collect,
analyze, and visualize information relating to security data
and cybersecurity risks;
``(ii) make program capabilities available for use, with or
without reimbursement;
``(iii) employ shared services, collective purchasing,
blanket purchase agreements, and any other economic or
procurement models the Secretary determines appropriate to
maximize the costs savings associated with implementing an
information system;
``(iv) assist entities in setting information security
priorities and managing cybersecurity risks; and
``(v) develop policies and procedures for reporting
systemic cybersecurity risks and potential incidents based
upon data collected under such program.
``(B) Regular improvement.--The Secretary shall regularly
deploy new technologies and modify existing technologies to
the continuous diagnostics and mitigation program required
under subparagraph (A), as appropriate, to improve the
program.
``(2) Activities.--In carrying out the continuous
diagnostics and mitigation program under paragraph (1), the
Secretary shall ensure, to the extent practicable, that--
``(A) timely, actionable, and relevant cybersecurity risk
information, assessments, and analysis are provided in real
time;
``(B) share the analysis and products developed under such
program;
``(C) all information, assessments, analyses, and raw data
under such program is made available to the national
cybersecurity and communications integration center of the
Department; and
``(D) provide regular reports on cybersecurity risks.''.
(b) Continuous Diagnostics and Mitigation Strategy.--
(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the Secretary of Homeland Security
shall develop a comprehensive continuous diagnostics and
mitigation strategy to carry out the continuous diagnostics
and mitigation program required under subsection (g) of
section 230 of such Act, as added by subsection (a).
(2) Scope.--The strategy required under paragraph (1) shall
include the following:
(A) A description of the continuous diagnostics and
mitigation program, including efforts by the Secretary of
Homeland Security to assist with the deployment of program
tools, capabilities, and services, from the inception of the
program referred to in paragraph (1) to the date of the
enactment of this Act.
(B) A description of the coordination required to deploy,
install, and maintain the tools, capabilities, and services
that the Secretary of Homeland Security determines to be
necessary to satisfy the requirements of such program.
(C) A description of any obstacles facing the deployment,
installation, and maintenance of tools, capabilities, and
services under such program.
(D) Recommendations and guidelines to help maintain and
continuously upgrade tools, capabilities, and services
provided under such program.
(E) Recommendations for using the data collected by such
program for creating a common framework for data analytics,
visualization of enterprise-wide risks, and real-time
reporting.
(F) Recommendations for future efforts and activities,
including for the rollout of new tools, capabilities and
services, proposed timelines for delivery, and whether to
continue the use of phased rollout plans, related to securing
networks, devices, data, and information technology assets
through the use of such program.
(3) Form.--The strategy required under subparagraph (A)
shall be submitted in an unclassified form, but may contain a
classified annex.
(c) Report.--Not later than 90 days after the development
of the strategy required under subsection (b), the Secretary
of Homeland Security shall submit to the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Homeland Security of the House of
Representative a report on cybersecurity risk posture based
on the data collected through the continuous diagnostics and
mitigation program under subsection (g) of section 230 of the
Homeland Security Act of 2002, as added by subsection (a).
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Texas (Mr. Ratcliffe) and the gentleman from Mississippi (Mr. Thompson)
each will control 20 minutes.
The Chair recognizes the gentleman from Texas.
General Leave
Mr. RATCLIFFE. Mr. Speaker, I ask unanimous consent that all Members
have 5 legislative days in which to revise and extend their remarks and
include any extraneous material on the bill under consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Texas?
There was no objection.
Mr. RATCLIFFE. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, earlier this year, the Office of Management and Budget
and the Department of Homeland Security
[[Page H7794]]
released a report on the cybersecurity risks faced by Federal agencies.
Among the findings of that report was that almost 75 percent of our
Federal agencies are vulnerable to cyber threats, in large part due to
their inability to understand cybersecurity risks and, therefore, to
properly prioritize resources.
Mr. Speaker, it is statistics like this that should make the state of
our Nation's cyber readiness and resilience deeply troubling to all of
us. And it is one of the main reasons that DHS' Continuous Diagnostics
and Mitigation, or CDM, program has been one of my top priorities
during my time as chairman of the Cybersecurity and Infrastructure
Protection Subcommittee. That is because CDM has the potential to
provide solutions to this problem by dramatically increasing visibility
across Federal networks, thereby dramatically improving the ability of
DHS, OMB, and agency security officers to better understand the
technology assets being utilized across their agencies.
Mr. Speaker, at the end of the day, looking across all networks and
systems the Federal Government owns and operates, it comes down to
fingers on government keyboards, whether they be laptops, desktops,
tablets, servers, or in data centers.
{time} 1715
We need to know what we have before we can try to defend it.
That is why the CDM program is so crucial to the cybersecurity
posture of our Federal Government. Through its phased rollout, CDM
requires DHS to provide agencies with the capabilities to collect the
cybersecurity risk information necessary to make better decisions. It
not only allows the ability to combat our enemies in cyberspace, but
also to help Federal CIOs manage information technology.
The security data that CDM capabilities and tools collect will help
Federal CIOs and DHS make smarter choices about where taxpayer dollars
are going and to understand some of the most basic questions a
cybersecurity expert faces, including what devices are on the network.
Mr. Speaker, H.R. 6443 is necessary to codify the CDM program at DHS
and ensure that these authorities will exist to allow the continued
progress of this essential cybersecurity program.
Making sure that Federal agencies have access to the tools and
capabilities they need to defend their networks and getting DHS the
data to understand cybersecurity risks and vulnerabilities, and to
coordinate our Federal network defenses, are paramount concerns in this
technological age.
My goal, and the goal of the bipartisan group of cosponsors
supporting H.R. 6443, is to help boost the long-term success of the CDM
program.
This bill also ensures that this program keeps pace with the cutting-
edge capabilities being developed in the private sector, thereby
avoiding the type of vendor lock that has previously been a problem. In
that way, this bill ensures that we will be modernizing and updating
our systems before they become legacy technologies unsupported by
vendors and at even greater risk of being exploited by our digital
adversaries.
It is DHS' CDM program that will help Federal agencies and the whole
of the Federal Government to understand the threats they face and the
risks that these vulnerabilities pose in real time. Authorizing the CDM
program will further DHS' role in the cybersecurity mission throughout
our government and will continue to strengthen and elevate this
important program.
Mr. Speaker, I urge my colleagues to support this bill, and I reserve
the balance of my time.
Mr. THOMPSON of Mississippi. Mr. Speaker, I yield myself such time as
I may consume.
Mr. Speaker, I rise in support of H.R. 6443, the Advanced
Cybersecurity Continuous Diagnostics and Mitigation Act.
Mr. Speaker, H.R. 6443 would codify the existing Continuous
Diagnostics and Mitigation, or CDM, program within the Department of
Homeland Security's National Protection and Programs Directorate, NPPD.
CDM is an important part of our national approach to securing Federal
networks. Through CDM, DHS works with Federal agencies to identify,
purchase, and integrate cybersecurity tools and services to help defend
their networks against cyber attacks.
By taking advantage of bulk pricing, CDM allows agencies to purchase
security services at a discounted rate and, in turn, devote more of
their limited resources to carrying out their missions. Another benefit
of the program is that it enables DHS to track threats to agency
networks, giving the Department a more holistic view of the threat
landscape.
Still, given the enormous challenges associated with protecting such
a massive and diverse set of networks, it is not surprising that DHS
has, at times, struggled.
For instance, in rolling out CDM, DHS officials mapped four phases of
implementation where, in the first phase, agencies would identify all
the assets and devices on their networks.
At the time, DHS projected that the last phase, which is focused on
protecting the data that agencies store, would begin being tackled in
2017. Unfortunately, the CDM deployment schedule has been plagued with
across-the-board delays, starting with the implementation of phase 1,
which took years. As a result of these delays, the data housed on
agency networks--what the bad guys are really after--remains less
secure than might otherwise have been.
H.R. 6443 would address CDM's challenges in a few ways, for example,
by asking DHS to reconsider its phased approach to implementation and
examine opportunities to streamline adoption of CDM technologies.
This bill would also require DHS to develop a comprehensive strategy
that addresses deployment challenges, areas where greater coordination
is needed, and recommendations for continuous improvement.
Finally, H.R. 6443 adds specificity to DHS' responsibilities under
CDM and includes robust reporting requirements to inform congressional
oversight.
Every year, Federal networks get hit by tens of thousands of
attempted intrusions, many of them sophisticated, state-sponsored
attacks. We have seen time and again the cost and damage that can flow
from a high-profile Federal breach. As such, we need CDM to work.
Mr. Speaker, I yield 2 minutes to the gentleman from Rhode Island
(Mr. Langevin).
Mr. LANGEVIN. Mr. Speaker, I thank the gentleman for yielding, and I
want to recognize and thank the gentleman from Texas for his leadership
on this issue as well as for his leadership as chairman of the
Subcommittee on Cybersecurity and Infrastructure Protection.
As the cofounder and co-chair of the Congressional Cybersecurity
Caucus, which I have co-led for a decade with my good friend Chairman
McCaul, I firmly believe that cybersecurity is the national and
economic security issue of the 21st century. I believe it is,
therefore, incumbent upon us as Members of Congress to enable the
government to take the steps needed to protect our systems and to
provide some course correction when necessary.
This bill does both, authorizing the Continuous Diagnostics and
Mitigation, or CDM, program and requiring a strategy from the
Department of Homeland Security to guide its future growth. CDM
represents a core component of the Department's efforts to better
secure the dot-gov domain. In particular, by giving agencies a better
view into their networks, systems, and data, it helps provide an
understanding of cybersecurity status in real time.
It also feeds back data to DHS, so that cybersecurity specialists at
the National Protection and Programs Directorate can better assist
agencies in closing vulnerabilities and responding to incidents.
Conceptually, CDM makes a lot of sense, but it has not been without
challenges in implementation. Originally designed with a phased model
that focused on incorporating new sets of tools at each milestone, it
has fallen behind schedule, and many agencies have expressed skepticism
about the program's utility.
I believe in CDM, and I believe that the congressional direction
provided by Mr. Ratcliffe's bill will help dispel some of these doubts.
I also believe that the strategy can further help refocus the program
on the present and future needs of Federal networks. So I am pleased
that, during the committee
[[Page H7795]]
consideration, my amendment requiring a re-examination of the phasing
plan was adopted.
While I appreciate the thought underlying the original phasing
approach, I believe that we make more progress if the planned phase 3
and phase 4 are constructed in parallel rather than serially.
This is a good bill, and I urge my colleagues to support its passage.
However, I must take this opportunity to mention this bill's major
omission. It does not address the incentive structure at other agencies
to actually adopt CDM offerings. During hearings and roundtables on the
program, we often heard from government stakeholders that internal
dynamics at DHS' sister agencies were actually the biggest obstacle to
the program's success.
The SPEAKER pro tempore (Mr. Higgins of Louisiana). The time of the
gentleman has expired.
Mr. THOMPSON of Mississippi. Mr. Speaker, I yield an additional 1
minute to the gentleman from Rhode Island.
Mr. LANGEVIN. Mr. Speaker, I thank the gentleman for yielding.
This is, to be sure, outside the purview of the Committee on Homeland
Security, and I believe the bill before us will materially improve the
program.
One other thing, I urge my colleagues to consider the wisdom of
having so many committees involved with cybersecurity jurisdiction,
often to the detriment of making real progress. Right now, there are
some 30 committees and subcommittees that have jurisdiction over cyber,
and it is very difficult to get things done. So I also urge my
colleagues to look at the Executive Cyberspace Coordination Act, which
would put a Senate-confirmed director of cybersecurity at the White
House to help better coordinate interagency processes. Dealing with
these jurisdictional problems would substantially improve our
cybersecurity posture and would allow CDM to fully live up to its
potential.
With that, I would like to again thank Ranking Member Thompson and
Chairmen McCaul and Ratcliffe for continuing their focus on
cybersecurity. I strongly urge support for H.R. 6443. I commend
Chairman Ratcliffe for introducing the bill, and I certainly hope all
Members will support it and DHS' ongoing cybersecurity efforts.
Mr. RATCLIFFE. I reserve the balance of my time, Mr. Speaker.
Mr. THOMPSON of Mississippi. Mr. Speaker, I have no further speakers
on this bill, and I yield myself the balance of my time.
Mr. Speaker, H.R. 6443 seeks to improve DHS' capacity to carry out
one of its more important homeland security missions: the protection of
Federal agency networks.
Over the past decade, we have seen the number of cyber attacks
against Federal agencies rise by more than 1,000 percent. Last year
alone, the Office of Management and Budget reported that Federal
agencies experienced more than 35,000 cybersecurity incidents. A
challenge of this magnitude cannot be undertaken by each agency on its
own. They need help.
That is where the CDM program comes in. By authorizing CDM in law,
DHS and its agency partners can confidently move forward to bolster
Federal network security. By requiring the Department to revisit its
implementation plans and work to finally resolve its longstanding CDM
challenges, H.R. 6443 puts the program on an even more secure footing.
Mr. Speaker, I urge my colleagues to support this bipartisan
legislation, and I yield back the balance of my time.
Mr. RATCLIFFE. Mr. Speaker, I would like to thank my friends across
the aisle, Ranking Member Thompson and Congressman Langevin, for their
support of this bill. I would like to thank the ranking member of the
Cybersecurity and Infrastructure Protection Subcommittee, Mr. Richmond,
for cosponsoring this bill.
Mr. Speaker, this is, very simply, commonsense legislation that will
strengthen our Nation's cybersecurity posture and thereby strengthen
our Nation's national security.
Mr. Speaker, once again, I urge my colleagues to support H.R. 6443,
and I yield back the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I rise today in support of H.R. 6443,
the ``Advancing Cybersecurity Diagnostics and Mitigation Act'' which
codifies the Continuous Diagnostics and Mitigation (CDM) Program
administered by the Department of Homeland Security.
At a time when the computer networks of our government are under
constant attack, and have suffered serious breaches in recent years, we
must take action to ensure that the information of our citizens and the
ability of federal agencies to carry out their duties are resilient.
As a long-time advocate of a government that works efficiently for
the people, it is clear that current information security practices of
federal agencies are neither sufficient nor consistent.
Without an honest effort to even get to obtain a view of the security
state of federal networks, users, and devices, we will continue to be
increasingly vulnerable.
To that end, H.R. 6443 recognizes the importance of a dynamic
approach that will help secure federal networks and data, as well as
provide improved information on vulnerabilities and security practices
across the various agencies.
In particular, this measure codifies the Continuous Diagnostics and
Mitigation (CDM) Program to which:
1. Deploys DHS sensors which perform ongoing scans for
vulnerabilities and known flaws; and
2. Feed the collected data to an enterprise dashboard to provide
increased insight into the information security posture of federal
agencies.
Without codifying this concrete measure to fortify federal networks
and devices, federal agencies will remain vulnerable.
While codifying the DHS CDM Program will harden the security posture
of the federal government, we are still suffering from a shortage of
workers with the requisite skills in this area.
To address this, I have introduced the Cyber Security Education and
Federal Workforce Enhancement Act (H.R. 1981), which would address our
cyber workforce shortage by establishing an Office of Cybersecurity
Education and Awareness within DHS which will focus on:
1. Recruiting information assurance, cybersecurity, and computer
security professionals;
2. Providing grants, training programs, and other support for
kindergarten through grade 12, secondary, and post-secondary computer
security education programs;
3. Supporting guest lecturer programs in which professional computer
security experts lecture computer science students at institutions of
higher education;
4. Identifying youth training programs for students to work in part-
time or summer positions at federal agencies; and
5. Developing programs to support underrepresented minorities in
computer security fields with programs at minority-serving
institutions, including Historically Black Colleges and Universities,
Hispanic-serving institutions, Native American colleges, Asian-American
institutions, and rural colleges and universities.
Mr. Speaker, government agencies and the private sector alike
continue to struggle to identify the motivations and methods behind a
cyber-attack and, in many cases, lack timely information on tactics and
techniques hackers are using.
Despite this, the White House has eliminated the position of
Cybersecurity Coordinator from the National Security Council.
This occurred even after Federal Risk Determination Reports found
that communication of threat information within agencies is also
inconsistent, with only 59 percent of agencies reporting a capability
to share threat information to all employees within an enterprise so
they have the knowledge necessary to block attacks.
Federal agencies are not taking advantage of all available
information such as threat intelligence, incident data, and network
traffic flow to improve situational awareness regarding systems at risk
and to prioritize investments.
For this reason, earlier this Congress, I introduced H.R. 3202, the
``Cyber Vulnerability Disclosure Reporting Act'', which was passed by
the full House and is now in the Senate.
H.R. 3202 requires the Secretary of Homeland Security to submit a
report on the policies and procedures developed for coordinating cyber
vulnerability disclosures.
The report will include an annex with information on instances in
which cyber security vulnerability disclosure policies and procedures
were used to disclose details on identified weaknesses in computing
systems or digital devices at risk.
The report will provide information on the degree to which the
information provided by DHS was used by industry and other
stakeholders.
I would also like to recognize the University of Houston, which has
been recognized by the Department of Homeland Security and the National
Security Agency as a Center of Academic Excellence for the programs in
cybersecurity and cyber defense.
In closing, Mr. Speaker, I urge all members to join me in voting to
pass H.R. 6433, the ``Advancing Cybersecurity Diagnostics and
Mitigation Act''.
[[Page H7796]]
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from Texas (Mr. Ratcliffe) that the House suspend the rules
and pass the bill, H.R. 6443, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.
____________________