On June 21, 2022, U.S. President Joe Biden signed two cybersecurity bills into law. The latest in a series of efforts to improve the nation’s cybersecurity, the new legislation is intended to build skills and experience among the federal cyber workforce and promote coordination on security issues at all levels of government.
The State and Local Government Cybersecurity Act of 2021 is designed to improve coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and state, local, tribal, and territorial governments. Under the new law, these bodies will be able to share security tools, procedures, and information more easily.
“For hackers, state and local governments are an attractive target,” Rep. Joe Neguse (D-Colo.), who introduced the bill, said in a statement. “We must increase support to these entities so that they can strengthen their systems and better defend themselves from harmful cyberattacks.”
Last month alone saw multiple ransomware attacks on state and local governments, including school systems in New Mexico and Ohio; the city of Quincy, Massachusetts; and New Jersey’s Somerset County.
Under the second new cybersecurity law, the Federal Rotational Cyber Workforce Program Act of 2021, U.S. government employees in IT, cybersecurity, and related fields will be able to rotate through roles across agencies, enabling them to gain new skills and experience in a variety of job functions.
In January, a CISA-commissioned report by the National Academy of Public Administration found that the federal government “lacks a comprehensive, integrated government-wide strategy for developing a national cybersecurity workforce.” The rotation program aims to expand cyber professionals’ career horizons while improving interagency knowledge transfer and cooperation.
Justin Fier, Darktrace’s vice president of tactical risk and response, told Security that the act “will grant federal cyber professionals valuable transferable skills and diversify their career paths,” but cautioned that “it also adds to an industry already suffering peak burnout.” In a recent survey by ThreatConnect, nearly a third of cybersecurity professionals reported feeling highly stressed at work.
The new laws continue a trend of increased efforts to shore up cybersecurity at the federal, state, and local levels. This March saw the passage of the Cyber Incident Reporting Act, which requires organizations in critical infrastructure sectors (as defined by CISA) to report a cyberattack within 72 hours and a ransomware payment within 24.
That act, which VMware’s head of cybersecurity strategy Tom Kellerman called a “game changer,” was passed unanimously by the Senate, indicating increasing recognition of the importance of cyber defense. “I’ve been in cybersecurity for 23 years,” Kellerman said. “To have true bipartisanship action in this regard is historic.”
Lev Craig is an editor at EC-Council covering cybersecurity, blockchain, and DevOps. Before joining EC-Council, Lev worked as a freelance writer and editor in a range of areas in tech, including AI and machine learning, software development, and data privacy. Lev graduated from Harvard University in 2016 with a B.A. in English and lives in New York’s Hudson River Valley.