Bill Looks to Close Federal Cybersecurity LoopholesLawmakers Want to Restrict Agencies From Postponing Security Measures
Sen. Ron Wyden, D-Ore., and Rep. Lauren Underwood, D-Ill., have introduced a bill designed to patch loopholes in the Federal Cybersecurity Enhancement Act of 2015 that they say allow federal agencies to easily avoid implementing required cybersecurity procedures.
"In 2015, Congress required federal civilian agencies to implement cybersecurity best practices, like data encryption and two-factor authentication," Wyden says. "The agencies, however, have the ability to issue themselves blanket, indefinite waivers for these cybersecurity measures."
The Federal Cybersecurity Oversight Act of 2020 would update the "exemption from federal requirements" portion of the 2015 law by putting in place specific measures that Wyden and Underwood say would make it more difficult for agencies to avoid implementing required cybersecurity measures.
"To secure our nation's infrastructure, we must prioritize that federal agencies are adhering to the best cybersecurity practices," Underwood says. "The Federal Cybersecurity Oversight Act will strengthen federal cybersecurity standards and facilitate congressional oversight to protect federal websites, confidential data and other critical systems from attacks."
Under the proposal, instead of allowing agency directors to self-issue a waiver to bypass a cybersecurity task, they would have to obtain such permission from the Office of Management and Budget.
"Lax cybersecurity at federal agencies needlessly exposes Americans to privacy and security threats, while putting our national security at risk," Wyden says. "The Federal Cybersecurity Oversight Act would prevent civilian agencies from punting cybersecurity down the road indefinitely, leaving Americans' data open for attack from hackers and foreign spies."
The new bill would place a one-year limit on any waiver issued, replacing the current open-ended moratorium. It would require agency directors to meet certain criteria to earn approval of a waiver, including:
- Proving the requirement is excessively burdensome to implement;
- Showing that the particular requirement is not necessary to secure the agency's system and data;
- Proving that the agency has taken all necessary steps to secure the agency system and data.
The Original Measure
The Federal Cybersecurity Enhancement Act of 2015 was enacted in the wake of the Office of Personnel Management breach, which took place in June of that year. A federal government forensics investigative team concluded with "high confidence" that hackers stole the personally identifiable information of 21.5 million individuals (see: OPM's 2nd Breach: 21.5 Million Victims).
The 2015 bill required federal agencies to implement best cybersecurity practices to protect their computer networks. It required the Department of Homeland Security and the Office of Management and Budget to conduct comprehensive security assessments and hunt down and remove intruders in federal networks. And it authorized agencies to use the DHS intrusion detection and prevention system, Einstein.