5 Tasks for CISOs Under FISMA Reform

CIOs Held Accountable But CISOs Tasked with Getting Job Done
5 Tasks for CISOs Under FISMA Reform
When Congress enacted the Federal Information Security Management Act of 2002, the law that governs how the government secures its digital assets, lawmakers charged agency and departmental chief information officers with responsibility for information security for their respective organizations. Nary a mention of a chief information security officer.

Fast forward eight years to late last month, when FISMA reform passed the House as part of the Defense Authorization Act for Fiscal Year 2011. CIOs, under the bill, would continue to be accountable for their agencies' IT security, but the legislation would provide specific responsibilities for CISOs if it becomes law.

Most federal agencies have CISOs, but the House-passed bill could codify that position as a subordinate of the CIO with the responsibility to oversee agency information security and the authority to ensure and enforce compliance with the requirements imposed by federal law.

Here are the five primary responsibilities for CISOs under the legislation drafted by Reps. Diane Watson, D.-Calif., and James Langevin, D.-R.I.:

  1. Oversee the establishment and maintenance of a security operations capability on an automated and continuous basis;
  2. Develop, maintain and oversee an agency-wide information security program as required by law;
  3. Develop, maintain and oversee information security policies, procedures, and control techniques to address all applicable requirements;
  4. Train and oversee personnel with significant responsibilities for IT security;
  5. Assist senior agency officials concerning their responsibilities.

The legislation provides specifics on the CISOs' responsibilities regarding the automated and continuous monitoring of agencies' IT systems. They must assure that their agencies have trained and cleared personnel sufficient to assist in complying with requirements and report every other year to the department secretary or agency head on the effectiveness of IT security programs, including remedial actions being taken.

CISOs, according to the bill, must possess the necessary qualifications, including education, professional certifications, training, experience and the security clearance required to administer the functions described, and have information security duties as their primary duty.

As part of their responsibilities to assist senior agency officials, CISOs must:

  • Assess the state of compliance of all networks and systems with prescribed controls and report immediately any variances. Where appropriate, and with approval of the agency CIO, the CISO can shut down systems deemed to be non-compliant.

  • Detect, report, contain and mitigate incidents that impair adequate security of the information and IT infrastructure, in accordance with policy provided by the director of the National Office for Cyberspace - a new White House office that bill would establish - and in consultation with the Chief Information Officers Council and guidance from the National Institute of Standards and Technology.

  • Collaborate with the National Office for Cyberspace and appropriate public and private-sector security operations centers to address incidents that impact IT security that extend beyond the control of the agency.

  • Provide notice within 24 hours of discovery of specified incidents to the appropriate security operations center, the National Cyber Investigative Joint Task Force, and the Inspector General of the agency unless otherwise directed by policy established by the White House cyberspace office.

At one time, lawmakers debated granting CISOs, not CIOs, ultimate responsibility for their agencies' IT security, and establish a Federal CISO Council. But that idea faded, with the belief that the individual responsible for IT, the CIO, be held accountable for its security as well.

In an interview last year with, Navy CIO Robert Carey said collaboration on IT security is best handled through the Federal CIO Council, which has a committee on IT security and he co-chairs.

"Rather than disconnect the folks who are playing in this space, why don't we connect them overtly, and then we can form that alliance to manage, in essence, cyber and security issues on behalf of each of the agencies," Carey said. "There are a few CIOs who are playing on it, but this is clearly the forum where the CISOs are driving the answers."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.