Bill Defines Responsibilities of Federal CISOs

Each Agency Must Designate Senior Officer as CISO

By GovInfoSecurity.com, February 23, 2011.
Bill Defines Responsibilities of Federal CISOs

A

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

ll federal agencies must designate a senior agency officer as chief information security officer, with the authority and budget necessary to ensure agencies comply with federal cybersecurity laws and regulations, legislation before Congress, if enacted, would require.

Though the E-Government Act assigns primary responsibility for IT security to departmental and agency chief information officers, the Cybersecurity and Internet Freedom Act of 2011, introduced last week in the Senate (see Senate Bill Eyes Cybersecurity Reform), delineates responsibilities for CISOs.

According to the bill - sponsored by the leaders of the Senate Homeland Security and Governmental Affairs Committee - CISOs would oversee the establishment, maintenance and management of agencies' security operations centers that have technical capabilities and can, through automated and continuous monitoring:

  • Detect, respond to and mitigate incidents that impair risk-based security of agency data and information systems and infrastructures, in accordance with policies provided by the director of a newly created National Center for Cybersecurity and Communications, or NCCC.

    (NCCC would be responsible for day-to-day government IT security, oversee the United States Emergency Response Team and lead federal efforts to protect public- and private-sector cyber and communications networks.)

  • Monitor and, on a risk-based basis, mitigate and remediate the vulnerabilities of every information system within the agency information infrastructure.
  • Evaluate continually risks posed to information and information systems and hold senior agency officials accountable for ensuring the risk-based security of data and IT systems.
  • Collaborate with the NCCC director and appropriate public- and private-sector security operations centers to address incidents that have an impact on the security of information and information systems that extend beyond the control of the agency.

The legislation calls on agency CISOs to collaborate with the federal CIO to establish, maintain and update an enterprise network, system, storage and security architecture that can be accessed by the NCCC. Another provision would have CISOs develop and maintain an agency-wide information security program and IT security policies. The bill also would require a CISO to assist senior agency officers regarding their IT security responsibilities and ensure that the CIO has a sufficient number of cleared and trained personnel with technical skills.

Under the bill, CISOs must report at least annually to agency heads on the effectiveness of IT security programs, including progress on remedial actions taken.

The bill also requires that CISOs - whose primary duties must be IT security - possess necessary qualifications, including education, professional certifications, training, experience and security clearances. The measure did not specify educational and professional qualifications.

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE House Panel Passes Cyberthreat Info Sharing Bill

After beating back amendments by Democratic members to limit liability protections for businesses,...

Latest Tweets and Mentions

ARTICLE House Panel Passes Cyberthreat Info Sharing Bill

After beating back amendments by Democratic members to limit liability protections for businesses,...

The ISMG Network