A picture of Senator John D. Rockefeller, IV
John R.
About Sen. John
  • Youtube:
  • A picture of Senator John D. Rockefeller, IV

    Cybersecurity Act

    by Former Senator John D. Rockefeller, IV

    Posted on 2014-12-11

    submit to reddit

    Read More about Cybersecurity Act

    ROCKEFELLER. I thank Senator Johnson for his interest and support for this legislation and for his shared interest in strengthening cyber security. I also thank my colleague from South Dakota for drawing attention to the potential impact of this provision on financial regulatory authorities under the Banking Committee's jurisdiction, including those of the Consumer Financial Protection Bureau and the prudential regulators. I would like to assure the Senator that the consensus-based voluntary process for developing cyber security standards established in Title I of this bill is not intended to alter or limit financial regulatory agencies' regulatory authority in any way. Title I, particularly new section (e)(2) of the National Institute of Standards and Technology Act, encourages private entities to participate in NIST's standards development process, but is in no way a ``safe harbor'' for participants who are subject to the jurisdiction of financial regulatory agencies. An entity that participates in the standards development process established in Title I is still fully subject to the regulations, supervision, and other requirements of its financial regulatory agency. Sharing information with NIST as part of the process established in Title I is not a valid basis for withholding information from a regulator, including information about cyber threats.

    NIST is the Federal government's premier science and standards agency. It is not a regulatory agency, nor is it a national or homeland security agency. NIST's unique role is to bring together knowledgeable players from government and industry and to build consensus around common technical standards. NIST has no authority to require any private entity to follow standards it develops. The cybersecurity standards development process established in Title I is therefore not a rulemaking process. It in no way imposes new or duplicative regulations on entities that are subject to the authority of financial regulatory agencies, and it in no way disturbs or diminishes agencies' authority to exercise their important oversight duties.

    It is not intended to prohibit an agency from taking a regulatory action, such as an action to require an individual entity to protect against future cyber threats, if the agency independently obtains such information pursuant to other statutory or regulatory authority--even if an entity has shared this information with NIST. Nothing in this bill is intended to modify, limit, or otherwise affect the authority of the federal financial regulators under any other provision of law.

  • submit to reddit
  • Register your constituent account to respond

    Constituent Register