White House cybersecurity proposal shifts FISMA responsibility to DHS
The Obama administration’s proposal on cybersecurity transmitted to Congress this week makes long-needed changes to the Federal Information Security Management Act (FISMA), judges to Alan Paller, research director at the SANS Institute.
The White House proposal, which is a comprehensive cybersecurity plan, includes a provision directing the Department of Homeland Security (DHS) “to exercise primary responsibility within the executive branch for information security. This includes implementation of information security policies and directives and compliance” with FISMA, except for national security systems.
This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.
“The great failure of federal cybersecurity for the last decade was that it was a paperwork exercise because no one who knew how the attacks were done had any role in it”, he told Infosecurity. “DHS has already demonstrated that they are focusing on the critical controls….They are focusing on effectiveness measures, rather than make work”, he added.
The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.
“This brings the same rationality to offense informing defense. Instead of telling people that they have to have a good security plan, what DHS’s role will be is to demonstrate what best practices are and make sure people are measuring against those best practices”, Paller said.
Henry Harrison, technical director for Detica, praised the requirements that DHS share information with private industry about cybersecurity threats. “The lack of public information about the reality of the risk and also the nature of the low likelihood, but very high impact risks – such as those posed by attacks on critical infrastructures – means that it can be difficult for private sector organizations to justify significant new investments in cybersecurity and explain countermeasures to shareholders on profit and loss grounds alone”, he said.
The White House proposal would also create a national data breach notification requirement standardizing various state laws.
“Today, our country has a patchwork of 47 state notification laws. Our proposal simplifies and strengthens this reporting requirement and reaches all Americans”, wrote Howard Schmidt, the White House’s cybersecurity coordinator, in a blog.
A number of Democratic senators recently wrote to the Securities and Exchange Commission asking for national guidelines for data breach notification under existing law. This proposal would enshrine national data breach requirements in federal law.
“A uniform set of [data breach] requirements that everyone is held accountable to helps level the market”, said Danny McPherson, chief security officer at VeriSign. “There is no benchmark for reporting, so a baseline that says, if a data breach is over this size, it needs to be reported and disclosed, would be helpful. From a consumer protection perspective, we are going to be in a better position and get a lot more insight into attacks,” he told Infosecurity.
A national requirement might also spur organizations to invest more heavily in information security measures to avoid data breaches that have a negative effect on reputation, McPherson added.
Commenting on the data breach notification requirement, Rob Rachwald, director of security strategy at Imperva, said that “forcing people to admit there’s a problem is a good first step. However, you do run the risk of numbing the public with constant data breach notifications. But the real target here is CEOs who have to be sensitive to investors as data breaches and IP theft do impact share price.”
In the letters transmitting the proposal to Congress, OMB Director Jacob Lew, summarized its key provisions.
“The administration’s proposal would protect individuals by requiring businesses to notify consumers if personal information is compromised, and clarifies penalties for computer crimes including mandatory minimums for critical infrastructure intrusions. The proposal would improve critical infrastructure protection by bolstering public-private partnerships with improved authority for the federal government to provide voluntary assistance to companies and increase information sharing. It also would protect federal government networks by formalizing management roles, improving recruitment of cybersecurity professionals, and safeguarding the nation’s access to cost-effective data storage solutions.”
Entrust CEO Bill Conner commented that it is “time for Congress to approve legislation that will hold both government and the private sector accountable for the security of sensitive data. Current cybersecurity legislation has been held up by legislative gridlock over congressional jurisdiction for far too long.”