House Bill Aims to Reform Federal IT SecurityLegislation Would Fulfill 44th Presidency Panel's Recommendations
The bill, the Executive Cyberspace Coordination Act, is sponsored by Rep. James Langevin, D-R.I., who said the legislation would address the cybersecurity challenges facing the government outlined in the latest report from the Commission on Cybersecurity for the 44th Presidency, which he co-chairs (see 44th Presidency Commission Issues Update).
The legislation is similar to the Cybersecurity and Internet Freedom Act of 2011, a bill introduced in February by the leaders of the Senate Homeland Security and Governmental Affairs Committee (see Senate Bill Eyes Cybersecurity Reform).
According to a fact sheet issued by Langevin, the National Office of Cyberspace would coordinate and oversee the security of agency information systems and infrastructure. This office would have strong budgetary oversight powers that are backed by financial pay-for-performance authorities, while remaining accountable to Congress. Federal agencies would be responsible for reporting on their information security threats, practices and history to the cyberspace office before submission of their budgets to Office of Management and Budget. The cyberspace office director would serve on the National Security Council, allowing the director to review agency information security budgets and make recommendations back to the agencies and the president.
Besides creating the National Office of Cyberspace, the bill also would require agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency's information technology assets. These activities are intended to move agencies away from current manually intensive, compliance focused, periodic assessments under the Federal Information Security Management Act. The legislation also would:
- Require development of secure acquisition policies to be used in the procurement of information technology products and services, including a vulnerability assessment for any major system and its significant items of supply prior to development.
- Oblige agencies to obtain an annual independent audit of their information security programs to determine their overall effectiveness and compliance with FISMA. Audits would also be required of contractors responsible for managing agency systems or programs on their behalf.
- Institute a Federal Cybersecurity Practice Board within the Office of Cyberspace to develop policies and procedures for agencies to meet FISMA requirements and to oversee the implementation of approved standards and guidelines by the National Institute of Standards and Technology. The Board would be chaired by the cyberspace director and include standing members from OMB, Defense Department and selected members from civilian and law enforcement agencies.
- Create a White House Office of the Chief Technology Officer headed by a Senate-confirmed federal CTO, to work collaboratively across the government and private sector to analyze and improve the use of information technology. The federal CTO also would be a standing member of the Cybersecurity Practice Board.
- Grant authority to protect critical infrastructure to the Department of Homeland Security. Homeland Security Presidential Directive-7 provides authority to the DHS secretary to coordinate the protection of critical infrastructure. This bill would clarify this authority to include the creation, verification and enforcement of measures with respect to the protection of the information systems that control critical infrastructure. Langevin said the legislation does not give DHS control over private systems, but allows it to establish risk-informed security practices and standards for critical infrastructure.
- Develop better cooperation across agencies by bringing the departments of Defense and Homeland Security to the table to better coordinate their resources under the appropriate authority of the president.
- Define the sectors of in American society that most urgently need protection. The DHS secretary would determine what critical infrastructure should fall under cyber regulation and receive new protections developed between industry and government, recognizing that not every part of our critical infrastructure is as vulnerable to cyberthreats as is the power grid.
- Enhance the public-private partnership for critical infrastructure by requiring DHS to work with the departments of Defense and Commerce, NIST and the sector specific federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.
- Provide the authority to ensure these standards and practices are carried out. Coordinating through a new National Office for Cyberspace, DHS would work with sector-specific federal regulators to establish enforcement mechanisms. These include the ability to conduct security audits or issue subpoenas to determine compliance with regulatory requirements for securing critical infrastructure.
- Establish cyber challenge programs with the aim to strengthen the government's cybersecurity workforce. The initiative would support educational programs designed to engage students in the skill sets that they will need to keep our country competitive and safe online into the future.
Reps. Roscoe Bartlett, R.-Md., senior member of the House Armed Services Committee; C.A. Ruppersberger, D-Md., ranking member of the House Permanent Select Committee on Intelligence; and Loretta Sanchez, D-Calif., ranking member of the Armed Services's Subcommittee on Strategic Forces cosponsored the bill.