Will your agency’s cybersecurity mandate change?

By Vyomika Jairam
Federal News Radio

Congress will have much on its plate when it returns from recess, and among the bills are a few that impact the nation’s cybersecurity strategy.

Melissa Hathaway is the nation’s former Cyber Coordination Executive and served as Acting Senior Director for Cyberspace early in the Obama Administration – the latest in a long string of public service positions.

In May, Hathaway released a report of all of the cybersecurity-related bills in Congress. What was a list of 52 bills, Hathaway said, is now down to two that could actually impact agencies’ cybersecurity mandate: the National Defense Authorization Act and the Intelligence Authorization Act.

The NDAA contains provisions that would reform the Federal Information Security Management Act of 2002. Hathaway said it would move the current security review standard from compliance to continuous monitoring. The proposed FISMA reform would also have an impact on the role of chief information officers or chief information security officers.

If you’re a CIO or CISO, Hathaway said, expect to look at continuous performance monitoring. The House version of the bill also addresses minimum standards, and may mean a closer look at keeping your IT supply chain safe from infected or counterfeit hardware.

The last element could mean the biggest change of all. Hathaway says that CIOs and CISOs can expect to play a greater role in the agency’s operations. She expects FISMA reform would give CIOs and CISOs more involvement in the IT and general acquisitions process, which could give them more of a voice within the front office of their agency.

“I believe that the CIO and CISO will become one of the foundational offices” at agencies across government, Hathaway said. But CIOs and CISOs will need more training and resources to fulfill the new responsibilities FISMA II envisions for them.

The Intelligence Authorization Act includes increased congressional oversight, additional compliance regimes, and calls for more vulnerability assessments, Hathaway said. It would also request that ODNI work with the Department of Justice and other agencies to inform Congress on what else needs to be done to increase the nation’s cybersecurity posture.

Hathaway said there are a few simple things that could change the cybersecurity strategy across the government. Among them is increasing the flow of information through broader monthly threat briefings and daily updates.

“That could…be implemented quickly, and I think it would have a strong impact for the CIOs and CISOs,” Hathaway said.

In the last 18 months, Hathaway said, cybersecurity threats have gotten far more stealthy and there is an understanding that it’s not just an Internet-based threat. Those threats can come from a multi-media device internally or even a wifi device.

Along with the FISMA reforms, Hathaway said, should be greater inspection of the supply chain – provenance and custody of technologies and equipment used during the procurement process. Getting technology or equipment from true-source vendors isn’t a high priority sometimes, allowing counterfeit hardware into systems and increasing risk to systems.

Hathaway also believes the role of congressional oversight could be more efficient. A special joint cybersecurity committee, much like one formed for the Y2k bug, is one possibility to oversee potential solutions and implementations to the nation’s cybersecurity problems.

“It would allow the executive branch to focus on execution and implementation of key programs while only having to brief and inform one or two committees of Congress,” Hathaway said.