Though the E-Government Act assigns primary responsibility for IT security to departmental and agency chief information officers, the Cybersecurity and Internet Freedom Act of 2011, introduced last week in the Senate (see Senate Bill Eyes Cybersecurity Reform), delineates responsibilities for CISOs.
According to the bill - sponsored by the leaders of the Senate Homeland Security and Governmental Affairs Committee - CISOs would oversee the establishment, maintenance and management of agencies' security operations centers that have technical capabilities and can, through automated and continuous monitoring:
- Detect, respond to and mitigate incidents that impair risk-based security of agency data and information systems and infrastructures, in accordance with policies provided by the director of a newly created National Center for Cybersecurity and Communications, or NCCC.
See Also: Don't Be The Next OPM: Recognizing Risk
(NCCC would be responsible for day-to-day government IT security, oversee the United States Emergency Response Team and lead federal efforts to protect public- and private-sector cyber and communications networks.)
- Monitor and, on a risk-based basis, mitigate and remediate the vulnerabilities of every information system within the agency information infrastructure.
- Evaluate continually risks posed to information and information systems and hold senior agency officials accountable for ensuring the risk-based security of data and IT systems.
- Collaborate with the NCCC director and appropriate public- and private-sector security operations centers to address incidents that have an impact on the security of information and information systems that extend beyond the control of the agency.
The legislation calls on agency CISOs to collaborate with the federal CIO to establish, maintain and update an enterprise network, system, storage and security architecture that can be accessed by the NCCC. Another provision would have CISOs develop and maintain an agency-wide information security program and IT security policies. The bill also would require a CISO to assist senior agency officers regarding their IT security responsibilities and ensure that the CIO has a sufficient number of cleared and trained personnel with technical skills.
Under the bill, CISOs must report at least annually to agency heads on the effectiveness of IT security programs, including progress on remedial actions taken.
The bill also requires that CISOs - whose primary duties must be IT security - possess necessary qualifications, including education, professional certifications, training, experience and security clearances. The measure did not specify educational and professional qualifications.