S 885 Introduced
Civilian Cyber Reserve
Earlier this week, Sen Rosen (D,NV) introduced S 885, the Department of Homeland Security Civilian Cybersecurity Reserve Act. The bill would authorize DHS to establish a pilot program for a civilian cybersecurity reserve. No additional funding would be authorized by the bill.
This bill is nearly identical to the version of S 1324, the Civilian Cybersecurity Reserve Act, that was also introduced by Rosen and passed in the Senate under the unanimous consent process during the last session. No action was taken on the bill in the House.
Definitions
Section 2(a) provides definitions for eight key terms used in the legislation. They include two personnel management terms that are defined by reference to existing statutory requirements:
The one new technical term used in this bill is ‘significant incident’ which is broadly defined except that it would not apply to incidents involving national security system, or intelligence agency, computer systems.
Pilot Program
Section 2(b) would authorize CISA to establish a pilot project to establish a Civilian Cybersecurity Reserve at the Agency. It would include the authority (without further approval of the Office of Personnel Management) to:
Establish qualifications requirements for, recruitment of, and appointment to positions; and
Classify positions for inclusion in the pilot program.
It would further allow CISA to temporarily (less than six months) activate Reserve members by:
Noncompetitively appointing members of the Civilian Cybersecurity Reserve to temporary positions in the competitive service; or
Appointing members of the Civilian Cybersecurity Reserve to temporary positions in the excepted service.
The Reserve members would be considered government employees during their temporary appointments.
Pilot Planning
Section 2(e) would require CISA to conduct a study on the design and implementation of the pilot project and prepare a report to Congress on CISA’s plan for implementing the pilot program. That study would include:
Compensation and benefits for members of the Civilian Cybersecurity Reserve,
Activities that members may undertake as part of their duties,
Methods for identifying and recruiting members, including alternatives to traditional qualifications requirements,
Methods for preventing conflicts of interest or other ethical concerns as a result of participation in the pilot project and details of mitigation efforts to address any conflict of interest concerns,
Resources, including additional funding, needed to carry out the pilot project,
Possible penalties for individuals who do not respond to activation when called, in accordance with the rights and procedures set forth under title 5, Code of Federal Regulations, and
Processes and requirements for training and onboarding members.
CISA is not authorized to begin the pilot program until the congressional reporting requirements are completed.
Moving Forward
As I noted yesterday, the Senate Homeland Security and Governmental Affairs Committee is scheduled to take up this bill tomorrow along with 27 other bills. Typically, this means that there is broad support within the Committee for this bill, though there may be amendments that the Committee will consider. I suspect that there will be substantial bipartisan support for the bill. Last session, this version of the bill was able to pass the full Senate under the unanimous consent process, so it may be able to do so again.
Commentary
S 1324 passed late in the last session and never really had a chance to be taken up in the House. I suspect that if it were to make it to the floor for a vote that it would probably pass. The problem is going to be getting it to the floor because this is another unfunded program that is going to run afoul of the budgeting and spending restrictions planned for this session in the Republican controlled House. This would be another program where the spending hawks would be competing with the cybersecurity hawks in the Party and there will only be so many of those fights that either side wants to get into in the lead up to the 2024 elections. I am not sure that this would be a hill the cybersecurity hawks would want to die on.