House, Senate Showdown Over FISMA ReformBills Could be at Odds Over DHS Role
On some basic points, the House bill would be similar to one introduced in the Senate in April by Sen. Tom Carper, D.-Del. Both measures would direct federal agencies to use real-time metrics to determine the true security of their IT systems compared with the existing practice that requires them to show how they comply with FISMA rules. Both bill also would standardize across the government security configurations of commercial off-the-shelf IT products and services government agencies purchase.
Where the bills may have fundamental differences - the initial draft of the House version is weeks away from being finalized and the Senate bill remains in flux - are on the roles the White House and Department of Homeland Security play fostering the government's cybersecurity policy for federal systems.
A revised version of the Senate bill gives more sway than it originally did to DHS, including granting Homeland Security the right to review, though not approve, the IT security budgets of other departments and agencies. And, Senate bill writers this summer removed a provision from the original measure to establish a White House Office of Cyberspace to coordinate federal cybersecurity policy. The moves to amend the Senate bill seems to reflect the Obama administration's practice to rely on DHS as a leader on federal cybersecurity efforts.
But a letter written by one of the sponsors of the House bill, Rep. Diane Watson, suggests the House bill will not grant DHS as much authority. In the Aug. 18 letter, the California Democrat wrote that the departures earlier this year from government service of Melissa Hathaway, White House acting senior director for cyberspace, who conducted the administration's 60-day cybersecurity review; Mischel Kwon, U.S.-CERT director; and Rod Beckstrom, director of DHS's National Cybersecurity Center created "bureaucratic barriers" that included agency jurisdictional disputes, ineffective lines of authority and inadequate prioritization of protecting government cyberspace.
"I am also concerned that recently appointed DHS leaders and administration stakeholders remain disorganized and entrenched in ongoing jurisdictional disputes that have historically prevented them from making the kind of critical changes that are necessary to remedy our cybersecurity deficiencies governmentwide," wrote Watson, chair of the House Oversight and Government Reform Subcommittee on Government Management, Organization and Procurement. "These issues were only magnified by the refusal of DHS's National Protection and Programs Directorate to testify at the subcommittee's May 2009 hearing to examine the threats and vulnerabilities facing our government's cyber assets."
Watson's letter also expressed dismay that Obama has yet to name a cybersecurity coordinator and when he does, that person might not have the influence such an adviser should have. "I remain concerned that a future, White House cybersecurity policy officials ... will lack the necessary tools for carrying out the goals and objectives state in the White House 60-day cybersecurity policy review," she wrote, "This office will require broad authority, appropriate resources and presidential support in order to effectively coordinate and harmonize the efforts of multiple civilian, military and intelligence stakeholders charged with carrying out a robust government-wide cybersecurity mission."
The sponsors of the House bill have yet to decide whether or notcodify a White House cybersecurity adviser in the measure. Still, the bill's authors are mulling a provision to give a White House cybersecurity adviser some sort of budget authority over agencies' IT security budgets.
House Oversight and Government Reform Committee Chairman Edolphus Towns, D.-N.Y., also is a chief sponsor of the House bill.