It would be nice to think that Congress finally got off its “you know what” to pass five cybersecurity bills over the last week because they finally realized their importance and necessity. Or maybe lawmakers finally moved on cyber because the White House signaled over the summer its acceptance that smaller may be better.
But in the end the passage of five bills has as much to do with the changes coming to Congress in terms of rewarding long-time committee chairmen than really grasping the desperate need for these bills.
All five of these bills, however, signal a long-coming and much needed change to how agencies defend their computer networks and hire the people to do that critical work so why complain how Congress got there and let’s celebrate the fact that after six years, they finally did.
“Our nation faces serious cybersecurity threats. Including foreign nations and other adversaries that continue to compromise our networks and steal the America people’s sensitive information,” said Sen. Tom Coburn (R-Okla.), ranking member of the Homeland Security and Governmental Affairs Committee, in a statement. “These bills will help the nation address these threats. Updating the law for federal information security will ensure that agencies are accountable to Congress and the public for data breaches. Codifying the NCCIC will require DHS to improve its programs for assisting the private sector and sets the stage for future legislation to provide liability protection for sharing cyber threat information.”
Let’s start with the granddaddy of cyber: the Federal Information Security Modernization Act (FISMA). It’s been 10 years in the making and the lack of action by Congress forced the Office of Management and Budget and the Homeland Security Department to find workarounds — most prominently the move to continuous diagnostics and mitigation (CDM) and changes to the FISMA guidance.
“The original Federal Information Security Management Act passed by Congress in 2002 was transformational at the time as it was the first effort to establish accountability for information security and privacy across federal departments and agencies,” said Bob Dix, vice president of government affairs and critical infrastructure protection for Juniper Networks, and a staff member on the Hill in 2002. “The updated FISMA recognizes the need and opportunity to achieve near real time insight into the cybersecurity risk posture of federal civilian networks and systems on a 24×7 basis, which will improve the ability to manage that risk and reduce the impact of an ever evolving threat.”
Alma Cole, the former head of DHS’s security operations center and now vice president of cybersecurity at Robbins Gioia, said the two major changes in FISMA are the operational authorities given to DHS and the strict requirements for incident reporting to Congress.
“The term ‘binding operational directive’ is a new one which is designed to give DHS the ability to issue compulsory direction to an agency to take action on specific cybersecurity vulnerabilities or threats,” Cole said. “From its foundation FISMA was designed to implement a risk management framework which included minimum baseline guidance but ultimately assigned the agency head with the responsibility of assuring that systems were adequately secured. The concept there which still exists in language here is that the security program and risk management overall can be properly aligned with the agency mission.
DHS now has operational authority to supersede that somewhat by laying down specific requirements or actions to address critical cybersecurity needs. Although some may not like that position I believe that it is a good thing overall for the security of the federal government. The prominence of security professionals and their authority to adequately manage risk can vary greatly from one organization to the next.”
Another key area of the new FISMA law is the requirement for agencies to report security breaches to Congress within seven days.
Cole said the seven day requirement is more reasonable than the one-hour rule OMB put in place to report cyber incidents to DHS’s U.S. Computer Emergency Readiness Team (U.S. CERT).
“This single reporting requirement may have more effect at getting agencies serious about information security than any other because of the scrutiny that could be placed on any particular incident by Congress,” he said. “This requirement could also necessitate much more time and resources being given to the incident response and reporting process and will likely also involve much more of the senior agency official’s time to be on the Hill explaining what may have gone wrong which could have led to particular incidents. Expect focusing on cyber issues to improve from the agency head all the way down.”
Dix said the legislative update is an important step, but there are several other things agencies need to do day in and day out that also would make a huge difference starting with workforce training and development.
The bill “requires the secretary to fix the rates of basic pay for any qualified position in relation to the rates of pay provided for comparable positions in the Department of Defense (DoD) and allows the secretary to provide such employees with additional compensation, incentives, and allowances.”
At the same time, DHS also will identify all of its cyber workforce positions, determine the primary work category and specialty area and standardize how those positions are tracked and filled with the proper employment code.
The workforce assessment bill requires DHS to assess its cyber workforce by position and whether they are federal or contract employees.
DHS also must develop a strategy to address readiness, capacity, training, recruitment and retention of cyber workers.
The plan must include a five-year implementation strategy and a 10-year projection of DHS’s cyber workforce needs.
“Accompanying the legislative update provided by the Federal Information Security Modernization Act of 2014 will require a consistent and sustained attention to workforce development and training; internal accountability; and an update to federal acquisition practices,” Dix said. “Continuing to make procurement decisions for information technology products and services based solely on lowest price is an invitation for those with criminal and nefarious intent to compromise the federal government’s information systems with counterfeit, tainted, or malicious products.
Moving toward a practice of purchasing IT products and services from trusted and authorized sources will be another important step in addressing supply chain assurance and product integrity, thereby further improving the security and resilience of federal networks and systems.”
Sen. Tom Carper (D-Del.) authored the bill to codify the NCCIC’s role in sharing threat data with government and private sector entities, and providing technical assistance to those organizations too.
Finally, the Cybersecurity Enhancement Act focuses on workforce and the cyber research and development community. The bill would improve coordination in government by requiring a strategic plan to assess cyber risk and guide direction of federal cyber research and development.
The bill also codifies the National Institutes of Standards and Technology (NIST) current activities to help lead the development of voluntary cyber standards for critical infrastructure providers.
This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.