Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ColumnsCybersecurity News

Understanding the New Federal Cyber Laws

By Matt Dahl
Matt Dahl
January 23, 2015

Congress has proposed dozens of bills related to cybersecurity topics over the last decade, all of which went nowhere.  That is, until recently.  In December of last year, lawmakers and the President put some of their disagreements over cybersecurity reform to the side and passed the following into law: 1) National Cybersecurity Protection Act (NCPA); 2) Cybersecurity Enhancement Act of 2014 (CEA); 3) Federal Information System Modernization Act of 2014 (FISMA 2014); 4) Cybersecurity Workforce Assessment Act (CWWA); and, 5) Border Patrol Agent Pay Reform Act (BPAPRA).

For the most part, these bills address federal government functions with respect to cybersecurity. FISMA 2014 is an overhaul of the Federal Information Security Management Act of 2002 (FISMA) and is meant to provide a framework for the federal government to assess and ensure its information security controls. The CWWA and BPAPRA deal with cybersecurity workforce issues at the Department of Homeland Security (DHS). The NCPA focuses solely on promoting information sharing between the government and the private sector via DHS.  Finally, the CEA is a bill that, on its face, is also government-focused; however, of all the bills passed in December, it is the one that may have the biggest chance of causing unintended effects on private sector organizations.

The CEA is the most significant of the December bills both in breadth and likely in significance. This bill covers a wide range of topics, to include research and development, and education and awareness. However, it is in the area of public-private collaboration that the new law is apt to have the most impact, since it empowers the National Institute of Standards and Technology (NIST) to facilitate and support the development of voluntary cyber security standards for critical infrastructure organizations. This mission was already given to NIST by President Obama through Executive Order in 2013, but the CEA cements it into law and in doing so limits the ability of future Administrations to alter.

While NIST is not given any regulatory authority, and the standards it produces will not be considered regulations, the framework created by NIST could be adopted by industry groups and even courts as a benchmark for measuring organizations’ cybersecurity posture.  

There already is precedent for a similar framework that has been used by courts dealing with cybersecurity cases. Over the past several years, a number of financial institutions have been subject to lawsuits from corporate customers whose money was stolen by cyber criminals. In many of these cases, courts turned to guidelines created by the Federal Financial Institutions Examination Council (FFIEC) as a way to evaluate the financial institution’s cybersecurity posture. The FFIEC standards have no legal weight of their own, but courts found them to be instructive in these cases and they often played a significant part in the court’s rulings.

A similar situation could very well develop with respect to the NIST standards. Courts, regulatory bodies, and even industry groups that seek guidance in resolving grievances related to cybersecurity incidents are likely to go with the NIST framework because it has been generally well received, was subject to public comment, and is freely available. Also, while the CEA is focused on giving NIST authority to maintain this set of standards with respect to critical infrastructure organizations specifically, there is nothing stopping courts or other regulatory groups from using the NIST standards to gauge the cyber security posture of organizations working in non-critical infrastructure sectors.  We are already seeing the Securities Exchange Commission and the Federal Trade Commission moving in that direction.  Private sector companies also are getting into the act by sending cybersecurity questionnaires to their vendors that are based in part of the NIST framework.  Failure to answer the questions adequately removes the vendor from further consideration, turning this into a business requirement.

Companies have good reason to consider embracing, rather than staving off, the NIST framework.  There is a fair amount of flexibility in its approach.  Similar to the FFIEC guidelines, NIST does not mandate the use of specific security protocols or technologies. By way of comparison, FFIEC suggests that financial institutions use a layered security program that uses controls at multiple points in a transaction process in order to build a more effective overall security framework.  Meanwhile, the NIST guidelines advocate that organizations approach cybersecurity by evaluating and implementing controls from a risk-based perspective. Guidelines from both organizations provide a framework for thinking about cybersecurity practices while still allowing companies plenty of flexibility in meeting cybersecurity goals.  

The implications of the CEA give companies something to think about.  Since courts and regulatory bodies lack laws to guide their decision making process in this area, they likely will turn increasingly to NIST as having set the standard of what good security processes look like.  As a result, organizations that strive to make their cybersecurity controls more robust may be well-advised to turn to the same NIST standards as a baseline for exploring their risk and setting their controls. Companies that have not already implemented an internationally recognized set of cybersecurity standards (such as ISA, ISO/IEC, or COBIT) will find that, by using the NIST standards to inform their cybersecurity protocols, they can get ahead of the game should clients or regulatory bodies begin asking for the basis of the cybersecurity posture. 

Matt Dahl is Manager of Global Threat Intelligence and Legal Counsel for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He can be reached at matthew.dahl@crowdstrike.com.

KEYWORDS: CEA Congress CWWA cyber legislation cyber security NCPA NIST cyber security framework

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Matt Dahl is Manager of Global Threat Intelligence and Legal Counsel for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He can be reached at matthew.dahl@crowdstrike.com

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC0821-cyber-Feat-slide1_900px

    Federal cybersecurity laws can improve private sector security

    See More
  • Cyber Tactics Chabinsky Default

    Cyber Advice for the New President

    See More
  • cyber 3 responsive default

    Almost Half of Boards Lack Real Understanding of Cyber Threat

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing