Governance & Risk Management
5 Duties of a Cybersecurity Czar
Responsibilities of White House Official Defined
Legislation creating a White House director of cyberspace would give that official five distinct authorities and functions if enacted. Here's the job description for the director of the National Office for Cyberspace, as outlined in the United States Information and Communications Enhancement Act of 2009, or U.S. ICE, which was introduced by Sen. Tom Carper, D.-Del., this week.
1. Develop and implement a comprehensive cyberspace strategy in coordination with a public-private partnership to ensure a trusted and resilient communications and information infrastructure, by:
Enhancing economic prosperity and facility market leadership for the U.S. information and communications industry;
Defending, preventing and repairing disruptions and damage to America's information and communications infrastructure;
Ensuring U.S. capabilities to operate in cyberspace in support of national goals; and
Protecting privacy rights and preserving civil liberties of Americans.
2. Oversee federal government IT and communications systems, by:
Recommending to agencies how to mitigate vulnerabilities, attacks and exploitations discovered through activities required by this legislation;
Directing IT security policies, standards and guidelines to ensure agencies comply with standards created by the National Institute of Standards and Technology;
Requiring agencies to report unauthorized access, use, disclosure, disruption, modification or destruction of data or systems; and
Reviewing annually, and either approving or disapproving agencies' information security programs;
3. Oversee the effective implementation of governmentwide operational evaluations by:
Monitoring, detecting, analyzing, protecting and responding against known vulnerabilities, attacks and exploitations;
Reporting to and collaborating with appropriate security operation centers and law enforcement agencies;
Mitigating the risk posed by successful exploitations of systems in a timely fashion to prevent future vulnerabilities and attacks.
4. Report to Congress by March 1 of each year the overall IT security posture of the United States' communications and information infrastructure, including detailed assessments of the:
Overall resiliency of the communications and information infrastructure effectiveness of the United States and its government, including the ability to monitor, detect, mitigate and respond to an incident;
Information security effectiveness of each agency, including the ability to monitor, detect, mitigate and respond to an incident; and
Significant deficiencies in IT securing and reporting practices of federal government agencies.
The director also would submit a remedial action plan to address agency deficiencies, including an associated budget and recommendations for relevant actions by the executive branch and Congress.
5. Develop and implement policy, guidance and regulations - in coordination with the Office of Management and Budget, NIST and the General Services Administration - that cost effectively enhance federal government IT security by:
Standardiing security requirements - known as lock-down configurations - of commercial off-the-shelf products and services including cloud computing products and service purchased by federal agencies;
Pre-certifying products and services with known levels of security standards and configurations, when practicable; and
Reducing vulnerabilities and costs associated with custom products and services by providing incentives to get agencies to purchase standard products and services through the GSA.
These policies, guidance and regulations should allow purchasing decisions to reasonably account for significant supply chain risks associated with any specific product or service.
The cyberspace director also must annually inform Congress the cost savings and security enhancements achieved by using the federal government purchasing power and recommendations to achieve further cost savings.