This story was updated Friday to reflect the passage of the bill.
The omnibus spending bill and tax package passed by the House and Senate Friday and heading to the president’s desk will include a new version of the Cybersecurity Information Sharing Act, plus a host of other policy riders and legislation.
Lawmakers reached a deal late Tuesday night on a 2000+ pages long, $1.1 trillion bill that will fund the government until the end of the current Fiscal Year on Sept. 30, 2016. Alongside that is a $680 billion tax package.
The massive bill is filed with a litany of policy riders, which dictate new policies affecting matters from oil exports to alternative energy credits, as well as law related to health programs for 9/11 responders and meat labeling, among others.
Tucked into the legislation is a version of CISA that was hammered out by a small group of lawmakers from three separate cybersecurity information sharing bills that passed the House and Senate earlier this year.
The final bill devotes 135 pages to CISA. Just before its release early Wednesday morning, a bipartisan group of four lawmakers circulated a letter complaining that the bill’s provisions were being finalized behind closed doors.
“Legislation encouraging cybersecurity information sharing between industry and government is complicated and will have hugely negative ramifications on user privacy if done improperly,” reads a letter from Reps. Justin Amash, R-Mich., Zoe Lofgren, D-Calif., Ted Poe, R-Texas, and Jared Polis, D-Colo.
“Reports indicate a new bill is being negotiated by just a handful of members for inclusion in the omnibus…We cannot cast such a consequential vote with no input.”
Among the provisions in the bill is complete liability protection for companies who share threat indicators, even if they fail to scrub personally identifiable information before turning them over to the government.
Also, DHS is allowed to share indicators with other government agencies, including the FBI and National Security Agency, given that PII is scrubbed from that information. However, the bill grants the president the ability to create data portals at other agencies if the DHS portal is found to be flawed.
Robyn Greene, Policy Counsel at New America’s Open Technology Institute, said the strong-arm actions behind closed doors led to “a race to the bottom on privacy and operational effectiveness.”
“On several fronts, this bill is significantly worse than the two House-passed bills,” Greene said in a statement. “Representatives should demand that it be stripped from the omnibus so that they can debate it and vote on the record, to reject this deeply flawed bill.”
The bill also codifies a number of efforts taken up by both DHS and the White House’s Office of Management and Budget to protect federal IT systems. Similar to directives put forth in OMB’s Cybersecurity Implementation Plan, the bill calls for agencies to identify mission critical data, encrypt it while in transit and at rest, and assess the access controls related to that data.
The bill also asks OMB to prepare a report on the Einstein intrusion detection system, which will detail what agencies are agencies are using the tool and how many intrusion the system detected and turned away.
There is also a significant portion of the bill dedicated to improving the cyber workforce within the federal government. The Director of the Office of Personnel Management, Secretary of Homeland Security, Director of NIST, and Director of National Intelligence are tasked will be working to implement the National Initiative for Cybersecurity Education, which will help the federal government streamline the hire of cybersecurity professionals. The National Initiative for Cybersecurity Education was created under the Cybersecurity Enhancement Act of 2014.
Elsewhere, the bill also extends the identity theft and fraud protection OPM is offering to victims of its data breaches from three years to a full decade, covering up to $5 million in damages. The National Treasury Employees Union, a union which represents federal employees, called the measure “a significant improvement” over the current offering, which was 3 years of coverage up to $1 million in damages.