Standards, Regulations & Compliance
House Adopts Major Cybersecurity MeasureFISMA Reform Fate Tied to Don't Ask, Don't Tell
The House Friday approved by a 229 to 186 vote the National Defense Authorization Act, which includes an amendment added Thursday to establish an Office of Cyberspace in the White House headed by a Senate-confirmed director. That director would have the authority to review civilian agencies IT security budgets. The amendment is an amalgamation of the Federal Information Security Amendments Act of 2010, HR 4900, sponsored by Rep. Diane Watson, D.-Calif., which was approved last week by the House Oversight and Government Committee, and the Executive Cyberspace Authorities Act, HR 5247, introduced earlier this month by Rep. James Langevin, D.-R.I.
The National Defense Authorization Act is the same bill that includes another amendment to eliminate the military's don't ask, don't tell policy pending a Pentagon review. That amendment could jeopardize the overall bill's enactment because of potential resistance by senators who don't want to end don't ask, don't tell.
Still, by adding the amendment as a rider to the defense bill, Watson and Langevin are attempting to fast track significant changes in the law, including major revisions to the 8-year-old Federal Information Security Management Act, that governs cybersecurity in the federal government.
"Not only does this amendment make necessary and wholesale improvements to our current cybersecurity policy and management framework, but it will also ensure that agencies have a strong leader within the Executive Office of the President to assist them in their efforts," Watson said in a statement. Added Langevin: "These provisions will establish strong, centralized oversight to protect our nation's critical information infrastructure and update our comprehensive policy for operating in cyberspace."
Major provisions of the amendment include:
- Creating a National Office for Cyberspace within the White House to coordinate and oversee the security of agency information systems and infrastructure. This office will have strong budgetary oversight powers that are backed by financial pay-for-performance authorities, while remaining accountable to Congress.
- Establishing a Federal Cybersecurity Practice Board within the cyberspace office to develop policies and procedures for agencies to adhere to in meeting FISMA statutory requirements and to oversee the implementation of approved standards and guidelines developed by the National Institute of Standards and Technologies.
- Requiring agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency's information technology assets.
- Ordering agencies to obtain an annual independent audit of their information security programs to determine their overall effectiveness and compliance with FISMA requirements.
- Developing secure acquisition policies to be used in the procurement of information technology products and services
- Establishing the Office of the Chief Technology Officer within the White House to work collaboratively across the government and private sector to analyze and improve the use of information technology.
Both bills originally would have granted the cyberspace director the right to review and reject civilian agencies' IT security budgets, but the version attached to the defense authorization bill only allows the director to issue a non-binding disapproval of an agency's IT security spending. If a non-binding disapproval is issued, the director would recommend to the agency's head how to strengthen the budget.
Langevin, co-chair of the House Cybersecurity Caucus, pointed out that the amendment includes many of the recommendations of the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency, which he co-chaired, and "focuses on coordination of efforts to secure federal networks, develop smarter cyber policies and lead the world in standards and practices for responsible actions in cyberspace."