Carper Bill Melds FISMA Update with White House Cybersecurity Office
The drumbeat for a primary White House role in cybersecurity got louder Tuesday. Democrat Tom Carper of Delaware, chairman of the Senate Homeland Security Federal Financial Management Subcommittee, was scheduled to offer a bill that would create a White House cybersecurity office as part of a larger update of the Federal Information Security Management Act. That jibes with a Commerce Department- oriented cybersecurity measure by Senate Commerce Chairman Jay Rockefeller, D-W.Va. But it clashes with promised legislation from Senate Homeland Security Committee leaders. (See separate report in this issue.)
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The U.S. Information and Communications Enhancement Act, or U.S. ICE, previewed for the congressionally chartered Information Security and Privacy Advisory Board earlier this month (WID April 6 p1), was available only as a staff draft at our deadline Tuesday. FISMA needs to be updated to improve “situational awareness” in the federal government, by “using more effective enterprise-wide automated monitoring, detection and response capabilities,” the bill begins. Carper also was set to offer a bill to more closely monitor information technology spending in the federal government -- and halt projects before they become boondoggles.
U.S. ICE would create a National Office of Cyberspace whose director requires Senate confirmation. The director would develop and implement a plan that “enhances economic prosperity and facilitates market leadership” for U.S. industry; “deters, prevents, detects, defends against, responds to, and remediates interruptions” to U.S. network infrastructure; and protects privacy and civil liberties in the U.S. The office would give “recommendations” to agencies on protecting their networks and require those protections to be “commensurate with the risk and magnitude of the harm” resulting from breaches. It would annually review agencies’ information security programs and report to Congress on the “overall information security posture” of U.S. networks.
The White House office would set policies to standardize security requirements, or “lockdown configurations,” for commercial off-the-shelf products and services, “including cloud products and services,” purchased by the government. It would work with the Office of Management and Budget, National Institute of Standards and Technology and General Services Administration on developing policies. The White House and agencies would “precertify” such products “to the extent practicable.”
Agency heads would have greater responsibilities to create information security programs tailored to the risk levels of unauthorized disclosure of data they collect. They would delegate to chief information security officers the authority to enforce compliance with a program that, “on an automated and continuous basis,” can detect and respond to security incidents and work with the White House office when incidents “extend beyond” the agency’s control. Incident reports would have to go to the White House office, National Cyber Investigative Joint Task Force and inspector general within 24 hours of discovery. Agencies would have to submit “framework documentation” on their systems to the White House Office on a quarterly basis. Each year, they would submit reports on the effectiveness of their programs to the White House office, Senate Homeland Security and Commerce committees and House Oversight Committee.
U.S. ICE gives new authority to the U.S. Computer Emergency Readiness Team at DHS. Agencies would be required to “effectively coordinate” with US-CERT. But the White House office would also have authority over US-CERT to determine its effectiveness in detecting and mitigating security incidents.
The Information Technology Investment Oversight Enhancement and Waste Prevention Act would create a Web site, updated quarterly, that lists the “cost, schedule and performance of all major information technology investments.” It would include a “graphical depiction of trend information” about projects, as well as highlight those projects with “variance” greater than 10 percent over their life cycle and disclose how many times they were “rebaselined.” Project managers would report to agency CIOs each quarter, and if they determine any “significant deviation,” CIOs would have to report the details to Congress. If there’s “gross deviation,” CIOs would have to also devise a remedial plan for projects that is submitted to Congress.
The spending oversight bill would create an “IT tiger team” at OMB to help agencies avoid deviations in their IT projects. Their work on specific projects in need of correction could be supplemented with a limited number of outside consultants chosen by OMB.