By now it’s no secret that the Cybersecurity Information Sharing Act, which Congress bundled with the 2016 omnibus, has passed.
The legislation designates the Homeland Security Department as the portal for cyberthreat information sharing among agencies and between the government and private companies that choose to participate.
But digging deeper, the President now has the authority to appoint another civilian agency as a portal for cyberthreat information sharing, if DHS’ portal isn’t secure or working properly.
The President would have to explain to Congress his reason for authorizing another agency.
It also requires private companies that do choose to share threat indicators to remove any personal information before sharing with DHS. The department will then do a second scrub for any remaining personal information.
Cracking down on the IRS
The 2016 budget largely freezes funding for the IRS at fiscal 2015 levels. The IRS will receive about $10.9 billion in 2016 — $1.7 billion less than what President Barack Obama requested in his original budget proposal.
Congress will make an additional $290 million available to the IRS, but only if the IRS Commissioner sends both appropriations committees a breakdown of how it plans to use an additional $290 million to make “measurable improvements in the customer service representatives level of service rate, to improve the identification and prevention of refund fraud and identity theft and to enhance cybersecurity to safeguard taxpayer data.”
IRS Commissioner John Koskinen has long argued that pervasive budget cuts have — and will continue to — prevent his agency from properly serving its customers.
But the budget also includes several provisions that target commonly argued congressional concerns.
The IRS, for example, can’t give a bonus or award to any employee who owes back taxes, or re-hire a former employee who hasn’t paid up.
IRS employees can’t use agency funding to make a video, unless the Service-Wide Video Editorial Board approves it and says the purpose, content and tone of the video is appropriate.
Specific language reminds the IRS that it cannot use agency funding for outside conferences that don’t have approval from the agency’s chief financial officer or Human Capital Office.
And it explicitly states no IRS employee can use a personal email account for government business.
Legislation in the 2016 budget also specifies that the IRS cannot use appropriated funding to target groups for their ideological beliefs or “target citizens of the United States for exercising any right guaranteed under the First Amendment.”
The budget also requires the IRS to report on all activities that are done under “official time.”
The Director of National Intelligence, along with the director of the FBI and Homeland Security Department Secretary, will look into standards they can use to measure the damage of future cybersecurity attacks.
They’ll also look for a way to quantify the damage to affected computers, systems and devices.
The first set of findings are due to Congress within 180 days; the final report is due in 360 days.
This is one of many new, congressionally-mandated studies on cybersecurity, seemly in reaction to multiple cyber breaches in 2015 at the Office of Personnel Management.