DHS Given More Cybersecurity Responsibilities
Hardly twins, but the Department of Homeland Security and the Federal Information Security Management Act came into existence about the same time in 2002. When Congress enacted FISMA, nary a mention of DHS could be found in the law that sets out how IT is governed in the federal government.
But the White House this week issued a memorandum delineating the cybersecurity duties of the Office of Management and Budget, White House cybersecurity coordinator and DHS, with DHS gaining more responsibility in assuring agencies comply with FISMA. Technically, OMB retains its authority outlined in FISMA; the law is the law, after all. In practice, however, DHS role in IT governance has grown.
A memorandum dated July 6 and signed by OMB Director Peter Orszag and Cybersecurity Coordinator Howard Schmidt states:
"Effective immediately, DHS will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA under 44 U.S.C. Â§3543. In carrying out this responsibility and the accompanying activities, DHS shall be subject to general OMB oversight."
What will DHS oversee?
- Governmentwide and agency-specific implementation of and reporting on cybersecurity policies and guidance and efforts to provide adequate, risk-based and cost-effective cybersecurity;
- Agencies' compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report;
- Agencies' cybersecurity operations and incident response and providing appropriate assistance; and
- Agencies' annual review of cybersecurity programs.
And what will be the tasks tackled by OMB and Schmidt?
"OMB will be responsible for the submission of the annual FISMA report to Congress, for the development and approval of the cybersecurity portions of the president's budget, for the traditional OMB budgetary and fiscal oversight of the agencies' use of funds, and for coordination with the cybersecurity coordinator on all policy issues related to the prior three responsibilities.
"The cybersecurity coordinator will have visibility into DHS efforts to ensure federal agency compliance with FISMA and will serve as the principal White House official to coordinate interagency cooperation with DHS cybersecurity efforts."
As the memo points out, national security and presidential homeland security directives already have given much cybersecurity authority to DHS, including critical infrastructure protection, operation of the United States Computer Emergency Readiness Team and oversight of the implementation of the Trusted Internet Connection and Einstein intrusion detection and prevention initiatives.
And, in Congress, administration cybersecurity policy is mostly presented and defended by senior DHS officials such as Deputy Undersecretary Philip Reitinger and Assistant Secretary Greg Schaffer, though Federal Chief Information Office Vivek Kundra, who works for Orszag, addresses IT management and security matters before lawmakers.
Before President Obama named Schmidt cybersecurity coordinator, one of the most visible leaders promoting administration cybersecurity policy was DHS Secretary Janet Napolitano.
Giving additional responsibilities to DHS in getting other agencies to comply with FISMA could irk some senior IT leaders in other departments, so it's not surprising Orszag and Schmidt ended their memo seeking cooperation:
"All departments and agencies shall coordinate and cooperate with DHS as it carries out its cybersecurity responsibility and activities as noted here. Thank you for your assistance in the implementation of this memorandum."