Standards, Regulations & Compliance

8 Duties of an Agency CISO

U.S. ICE More Explicit On Role Than FISMA
8 Duties of an Agency CISO
The responsibilities of departmental and agency chief information security officers will expand under legislation pending before Congress, but the position itself - though formalized - won't budge much on the organizational chart. CISOs will continue to report to the chief information officers, and won't be getting their own Federal CISO Council, as once envisioned.

As described in the bill - the United States Information and Communications Enhancement Act of 2009, or U.S. ICE - CISOs are more enforcers of and advisors on federal government information security processes than policymakers.

But unlike the Federal Information Security Management Act of 2002, or FISMA, U.S. ICE - introduced last week by Sen. Tom Carper, D.-Del. - formally creates the position of chief information security officer; FISMA designated duties to a "senior information security officer." FISMA needed fewer than 70 words to describe the senior information security officer's tasks vs. nearly 400 words for the CISO job description in U.S. ICE.

U.S. ICE, known as Senate 921, vaguely describes the prerequisites for a CISO, who must possess "necessary qualifications, including education, professional certifications, training, experience and the security clearance" required to administer the functions. Information security duties must be the CISO's primary responsibilities.

Here's what the CISO will do under U.S. ICE:

  1. Develop, maintain and oversee agency-wide IT security programs.

  2. Develop, maintain and oversee policies, processes and control techniques to address all applicable information security requirements.

  3. Oversee the establishment and maintenance of information security on an automated and continuous basis.

  4. Detect, report, contain and mitigate incidents that impair adequate data and infrastructure security.

  5. Train and oversee personnel with significant information security duties as well as assist senior agency/departmental officials regarding their IT security responsibilities.

  6. Collaborate with the National Office for Cyberspace - the White House office that will develop IT security policy and coordinate its implementation - and others security operation centers to address the impact of incidents on IT beyond the control of the agency.

  7. Report within 24 hours of IT security incidents to the appropriate security operations center, the FBI's National Cyber Investigative Joint Task Force and the respective agency's inspector general.

  8. Collaborate with the federal CIO and agency CIOs to establish, maintain and update documentation on an enterprise network, system, storage and security architecture framework that must be submitted quarterly to the National Office of Cyberspace and appropriate security operations centers. The documentation must include how technical, managerial and operational security controls are implemented, how the controls maintain the appropriate level of confidence, integrity and availability of information systems based on cabinet secretary or agency director policy, National Institute of Standards and Technology governance and Federal CIO Council recommendations.

Carper, when he first proposed FISMA reform last year, included provisions to establish a Federal CISO Council. That idea was jettisoned. But a de facto CISO Council exists within the CIO Council, says Navy CIO Robert Carey, who co-chairs the group's Information Security and Identity Management Committee, which consists mostly of CISOs. "Rather than disconnect the folks who are playing in this space, why don't we connect them overtly, and then we can form that alliance to manage, in essence, cyber and security issues on behalf of each of the agencies," Carey says, in an interview with "There are a few CIOs who are playing on it, but this is clearly the forum where the CISOs are driving the answers."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.