Legislation being drafted by an influential Republican House chairman to reform the Federal Information Security Management Act could, if enacted, reverse Obama administration policy on how IT security is governed in the federal government.
The draft legislation unveiled by Rep. Darrell Issa, the California Republican who chairs the House Oversight and Governmental Reform Committee, employs similar language as the 8-year-old FISMA, in which governance of IT security is vested with the director of the White House Office of Management and Budget.
Melissa Hathaway, who played pivotal roles in developing the cybersecurity policies for Presidents George W. Bush and Barack Obama, points out that nearly two years ago the Obama administration shifted much of that authority to the Department of Homeland Security from OMB in a document known as OMB Circular 10-28: Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security.
As Hathaway notes, the memo states that that DHS will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to federal information systems that FISMA governs. DHS activities will include, but not be limited to overseeing:
- Government and agency implementation of and reporting on cybersecurity policies and guidance;
- Government and agency efforts to provide adequate, risk-based and cost-effective cybersecurity, as well as assist agencies in doing so;
- Agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report; and
- Agencies’ cybersecurity operations and incident response and providing appropriate assistance.
Circular 10-28 also gives DHS the authority to review annually agencies’ cybersecurity programs.
Hathaway also says FISMA reform needs to go further than Issa proposes if agencies’ chief information officers and chief information security officers are to be held accountable for the network and infrastructure health of departmental and agency IT systems, something Issa’s draft bill and other proposed legislative measures seek.
“Why?” Hathaway asks and then answers: “Because it is not enough just to know you have an issue – through continuous monitoring – you also have to do something about it. The FISMA reform bills need to add that each department and agency must also have a rapid-response capability.”
Because the Issa bill is inconsistent with how FISMA is being implemented, it’s crucial that the staffs of the Oversight and Government Reform Committee along with the Homeland Security Committee collaborate to best reform FISMA and establish the roles and responsibilities for implementing, overseeing and complying with the new law, Hathaway says, adding that the staffs also should address penalties agencies would face if they do not comply with the law.
It’s unclear whether Issa’s Federal Information Security Amendments Act of 2012 was drafted by committee staffers who picked up the language of the original FISMA unaware of Circular 10-28 – a possible, but unlikely prospect – or is a reflection of a position by some lawmakers who believe DHS should not be given authority over other agencies in determining how they implement federal cybersecurity policies. Still, if long-overdue FISMA reform is to occur in 2012, an agreement on DHS’s role in federal IT security governance must be found.