The Public Eye with Eric Chabrow

FISMA Reform Awaits Another Day DHS Cybersecurity Leader Seeks Authority to Aid Other Agencies
FISMA Reform Awaits Another Day
DHS Deputy Undersecretary Phyllis Schneck testifies before a Senate panel.

As Congress gets ready to leave Washington once again without enacting significant cybersecurity reform, the top cybersecurity policymaker at the Department of Homeland Security voices her concern about the lack of progress.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Why is Phyllis Schneck concerned? Look back to last April, when reports of the Heartbleed bug that exposes a flaw in OpenSSL first surfaced (see Heartbleed: Gov. Agencies Respond).

Schneck, DHS deputy undersecretary for cybersecurity, said this week in an interview with the Lawfare blog that DHS was delayed up to 10 days in helping other federal agencies mitigate the threat posed by the Heartbleed vulnerability last spring. That's because current federal law is muddled on DHS's responsibility - or right - to intercede in safeguarding other federal civilian agencies information systems when vulnerabilities such as Heartbleed arise.

Exhausting Valuable Time

Schneck contends a patchwork of existing laws gives DHS the authority to mitigate threats facing other agencies' information systems by, for example, scanning for vulnerabilities. But before DHS could help, lawyers did their job, which exhausted valuable time that hackers might have exploited.

"To their credit, the lawyers were looking at the legal ways that we'd be getting on the network," Scheck says in the interview. "We lost a lot of time" - seven to 10 days - "and gave the bad guys an advantage with that. So, we're looking to mitigate that [moving] forward."

Despite the delays in addressing Heartbleed, another DHS official this week said the lag did not "enable the bad guys to exploit federal government systems."

Door-to-Door Solicitation

Schneck raised similar concerns last spring at a Senate hearing: "As fast as we could, we went door-to-door and got a letter of authorization from each agency, working with each lawyer, to make sure that we can scan [their systems]. That cost us precious ... days in some cases because the whole world knew about this vulnerability and all the information they could capture, while we were lawyering. If we had the clarification in law that this was our role, we would have gotten started a lot faster."

That clarification appears in the Federal Information Security Amendments Act of 2014, the Senate version of legislation updating the Federal Information Security Management Act, the law that governs federal government information security. But that authority is not found in the House version of FISMA reform, which passed that chamber unanimously last year (see FISMA Reform Passes House on 416-0 Vote). And therein lies the problem of getting FISMA reform enacted.

Some lawmakers, mostly Republicans, object to granting DHS additional authorities. They just don't trust DHS and don't think it's up to the task overseeing civilian agency IT security. The House version of FISMA reform does not provide the additional role of DHS securing other agencies' IT.

No Vote Scheduled

In June, the Senate Homeland Security and Governmental Affairs Committee approved the Federal Information Security Modernization Act of 2014, which grants DHS authority to help civilian agencies mitigate digital vulnerabilities (see FISMA Reform Heads to Senate Floor). That measure has yet to be scheduled for a vote by the full Senate as senators try to work out disagreements they have about the legislation.

Schneck, though, feels progress is being made. "We continue working with the Senate on these information security bills," she says. "I think a lot of good progress has been made."

Perhaps. FISMA reform might get a Senate vote, if not in the waning days of the pre-election session that wraps up at week's end, then during the lame-duck session that follows the midterm vote in November.

Seeking a Compromise

If the Senate passes FISMA reform, there's no guarantee it would become law. Unless either house accepts the other chamber's version of the measure word-for-word, then House and Senate conferees must draft a compromise bill both houses must approve. That could be a challenge. Would DHS antagonists accept an elevated role for DHS? If they don't, would supporters of the Senate bill concede DHS's promotion to federal agencies' cybersecurity guardian?

Still, with relatively few legislative days left in the current Congress calendar, the clock might run out even if a compromise on FISMA reform can be reached.



About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network