Beyond the Hype of the Cybersecurity ActWhat the Senate Bill Means for Those Charged with Securing IT
U.S. government federal agencies would be required to continuously monitor and conduct penetration tests of their IT systems under the latest version of the Cybersecurity Act of 2012.
When sponsors last week reintroduced the Senate bill [see Cybersecurity Act Heads to Senate Floor], the debate mostly focused on the stripping of provisions from the earlier version that would have granted the government authority to regulate the mostly privately-owned national critical IT infrastructure. But the revised legislation also would make significant changes on how the federal government governs IT security.
The Cybersecurity Act, if enacted, would update the decade-old Federal Information Security Management Act, which governs federal government IT security. Among the changes to FISMA: Implementing risk-based continuous monitoring of the operational status and security of agency IT systems. The monitoring would evaluate the effectiveness of and compliance with information security policies, procedures and practices that entail selected management, operational and technical controls of information systems.
"This bill would replace our outdated, paper-based security practices with a real-time security system that can help our government fight the rapidly evolving and highly agile cyberthreats that we face today," says Sen. Tom Carper, the Delaware Democrat and bill cosponsor. "Agencies would be required to monitor their systems like a security guard, who watches a building through a video camera rather than just taking a snapshot, developing the film and report on the result once a year."
The legislation also would require penetration testing - so-called ethical hacking - exercises to evaluate whether agencies adequately protect against, detect and respond to cyber incidents. It also would provide for vulnerability scanning, intrusion detection and prevention.
Strengthening Cybersecurity Workforce
The legislation also would require the government to make an assessment of the cybersecurity workforce, as well as promote federal government careers in cybersecurity through a cyber scholarship-for-service program and national cybersecurity competitions and challenges, tailored for high school, undergraduate and graduate students as well as veterans.
Another key provision of the Cybersecurity Act would require the directors of the Department of Homeland Security-based National Center for Cybersecurity and Communications, which the bill would create, and Office of Personnel Management to develop within one year of the measure's enactment comprehensive occupation classifications for federal IT security employees.
Defining roles on real tasks is critical in developing IT security curriculum, creating certification programs and screening professionals [see 7 Key Infosec Occupation Categories].
"Very different skill sets and proficiencies are required for the various roles involved in securing our cyber assets," says Franklin Reeder, a former Office of Management and Budget executive and co-author of a 2011 study on IT security skills needed by the federal government. "An intrusion detection analyst does very different things from, say, a software developer or a system administrator. ... Ultimately, we need a regime of screening tools and professional certifications that test proficiency, not just knowledge and skills."
R&D's 2-Fold Upshot: Security and Jobs
Other provisions in the bill would encourage the research and development of IT security technologies, including those to deploy more secure versions of fundamental Internet protocols, detect and analyze intrusions that include malicious software, improve mitigation and recovery processes and to understand behavioral factors that can undermine cybersecurity. "We can develop cutting edge technologies here at home and bring jobs to our country," Carper says. "Doing so will not only make us safer as a nation, it will help ensure that America's workforce is better prepared for tomorrow's job market, and tomorrow is just around the corner."
Some of the bill's provisions codify existing practices. For instance, most agencies have a chief information security officer, but the measure would require each agency head - the official who is ultimately responsible for its IT security - to name a senior official to oversee cybersecurity initiatives.
The revised Cybersecurity Act would require each agency head to implement an information security program to develop, executive and maintain an information risk management strategy that considers threats, vulnerabilities and consequences. The policy's aim would be to reduce information security risks to an "acceptable level in a cost-effective manner," the bill states.
The measure would require agencies to develop information security awareness training for employees, contractors and others with access to their IT systems.
Under the bill, agencies would be required to:
- Develop a process to ensure that they take remedial actions to mitigate information security vulnerabilities and address deficiencies in IT security policies, procedures and practices.
- Notify law enforcement agencies, inspectors general and relevant Congressional committees in the event of information security incidents.
- Submit annual reports to Congress that would describe each major information security incident that resulted in a significant compromise as well as threats and vulnerabilities and how the agencies handled them.
- Comply with cybersecurity standards developed by the National Institute of Standards and Technology.