Bill Gives DHS Lead on Fed IT Security PolicyWhite House Cyber Office Dropped from U.S. ICE
The responsibility to oversee information security among federal agencies would shift to DHS from the White House Office of Management and Budget under revisions of the measure, nicknamed U.S. ICE, that updates IT security guidance detailed in the seven-year-old Federal Information Security Management Act (FISMA), according to a senior cybersecurity staff member on the Senate Committee of Homeland Security and Government Affairs.
The revision, finalized by committee staffers on Thursday, also eliminates provisions establishing a National Office of Cyberspace that would have been situated in the Executive Office of the President. Centering the development of cybersecurity policy in the White House was a main recommendation of a report from the Commission on Cybersecurity for the 44th Presidency, and backed by many IT security policymakers and practitioners and some lawmakers. But that provision seems to have fallen victim to mounting criticism that the White House was seeking too many "czars" in a wide range of policy areas.
Instead, U.S. ICE, would grant most of the government's IT security oversight to the secretary of Homeland Security and the department's National Protection and Programs Directorate, the staffer said.
OMB wouldn't lose all authority; it would retain the final say over budgeting matters. But under the revisions, DHS would review all departmental and agency cybersecurity spending plans and forward its recommendation to OMB.
The thinking behind shifting responsibility to DHS from OMB is that Homeland Security has the cybersecurity expertise whereas OMB's proficiency is budgeting. "Already, the Department of Homeland Security is the coordinating agency on cybersecurity," the staffer said. "Now, what you're doing is drastically strengthening the role of DHS by putting into law and then also, giving them the ability to say, with FISMA, approve or not to approve agencies plans, controls, frameworks, the way they secure their systems."
If enacted as revised, the bill would give the Homeland Security secretary and her subordinates, including the deputy undersecretary for national protection and program, wide latitude in developing metrics to judge whether federal government IT systems are secure.
The bill also continues the role of the National Institute of Standards and Technology as the key government agency to develop IT security guidance, but leaves it to DHS the decision which guidance has priority.
Among other provisions of U.S. ICE's revision include, according to the staffer:
- Creating an interagency cybersecurity council within DHS to provide insight from various agencies on the development of federal cybersecurity policy. The senior person from each department or agency responsible for IT security would sit on the panel. In some agencies, that would be the chief information officer; in others, the chief information security officer. The idea of a CISO Council was forwarded before U.S. ICE was introduced by its sponsor, Sen. Tom Carper, the Delaware Democrat who chairs the Senate subcommittee with IT security oversight, but dropped from the original measure. At the time of the bill's introduction, Carper said a CIO Council committee would address IT security concerns.
- Establishing baseline IT security standards, in cooperation with IT vendors, for commercial off-the-shelf products, with the aim of driving cost efficiencies.
- Forming a joint interagency group that includes DHS, NIST and the Government Services Administration to establish common certification and accreditation framework for securing technologies, such as cloud computing. Agencies would not be allowed to establish their own C&A standards.
The staff revisions are not necessarily the final ones. The Senate Homeland Security Committee would hold a markup sessions where senators can make additional changes.
The staffer wouldn't predict when the committee or the full Senate would vote on the measure. However, in an interview with GovInfoSecurity.com earlier this year, Carper predicted it would be signed by the president in the Rose Garden on his birthday, Jan. 23.
Clarification: An earlier version of this story said the revised bill would establish a joint agency to establish common certification and accreditation framework. The entity to be established would be a joint interagency group and not a new agency.