DHS Big Winner in Congressional CyberSec VoteLegislation Strengthens DHS's IT Security Wherewithal
Phyllis Schneck's job as deputy undersecretary for cybersecurity at the Department of Homeland Security should get a bit easier when President Obama, as expected, signs FISMA reform legislation that passed Congress this week.
When the Heartbleed bug threatened IT systems in and out of government earlier this year, Schneck's team had to go to other federal civilian agencies to get permission for DHS to scan their IT systems to determine if vulnerabilities existed that exploited weaknesses in OpenSSL software deployed by the agencies.
"We wasted a lot of time ... working out legal agreements to demonstrate legally to each agencies' lawyers that we needed to be there, probably had seven to 10 days of time when bad guys who now knew about the events could exploit it," Schneck told the Lawfare blog in September.
With the updated FISMA law, Schneck no longer would have such problems because DHS would be given the authority to conduct such scans without agencies' permission.
The FISMA reform legislation, which fine-tunes the law that governs federal government information security, was one of four cybersecurity bills Congress passed this week. All four bills play a role in strengthening DHS as a cybersecurity force within the federal government (see FISMA Reform Heading to the White House).
Codifying Current Practices
Reforms to the Federal Information Security Management Act would codify existing practices implemented by the Obama administration to give more sway to DHS in assuring the security of federal government IT. Simply, that means that future presidents can't on a whim undo the added authority given to DHS on cybersecurity matters.
After the trouble DHS had to go through to scan agencies' IT for Heartbleed vulnerabilities, the White House Office of Management and Budget issued a directive in October allowing DHS to conduct scans of agencies' systems (see DHS to Scan Agencies IT for Vulnerabilities).
"The federal government's response to the Heartbleed security vulnerability highlighted the need to formalize this process, and ensure that federal agencies are proactively scanning networks for vulnerabilities," then-OMB Director Shaun Donovan said in a memorandum to heads of executive departments and agencies.
With the new FISMA law, OMB and the White House won't need to act in a piecemeal fashion to grant DHS the authority to assure the security of federal civilian agencies.
OMB Still In Charge
OMB would remain the top entity with cybersecurity authority in the federal government, but as FISMA reform bill sponsor Sen. Tom Carper points out, OMB has on staff only a handful of cybersecurity experts compared with hundreds at DHS. So, DHS, under the new law, would become the enforcer in implementing federal government cybersecurity policies within the .gov domain of the federal government established by OMB. The Defense Department would have that role among defense agencies, and the director of National Intelligence would be the enforcer for the intelligence community.
Sen. Tom Carper explains FISMA in nautical terms.
Under FISMA reform, DHS would take over from OMB the administration of a central federal information security incident center that provides technical assistance to agencies, compiles and analyzes cyberthreat information and alerts agencies about them and help agencies conduct risk assessments.
DHS also would assess the status of agencies' implementation of data breach notifications policies and guidelines, as a result of the new law. The FISMA reform measure also would require agencies to report data breaches within 30 days of discovery of an incident to the Senate and House Judiciary Committees.
Cultivating DHS's Cybersecurity Credibility
How would the other bills approved by Congress and awaiting the president's signature strengthen DHS's cybersecurity credentials?
- The National Cybersecurity Protection Act codifies DHS's National Cybersecurity and Communications Integration Center, the government's organization to analyze and share cyberthreat information. Carper says designating the center in law bolsters the nation's cybersecurity and provides DHS with clear authority to more effectively carry out its cybersecurity mission. "It is critical that the department continues to build strong relationships with business, state and local governments and other entities across the country so that we can all be better prepared to stop cyber-attacks and quickly address those intrusions that do occur," Carper says.
- The Homeland Security Cybersecurity Workforce Assessment Act, a rider on the Border Patrol Agent Pay Reform Act, would identity and fill key cybersecurity positions at DHS and provide competitive compensation as well as identify IT security skills the department needs. "Slow and cumbersome hiring procedures have been a persistent challenge for DHS when competing for scarce cybersecurity talent," says Diana Burley, a Georgetown University professor who studies government IT security employment. "This bill will reduce these barriers to entry and enhance DHS's ability to compete with other agencies - most notably NSA and DoD - in hiring the limited number of cybersecurity professionals."
- The Cybersecurity Workforce Assessment Act, not to be confused with the aforementioned Homeland Security Cybersecurity Workforce Assessment Act, would require an assessment of DHS's cybersecurity workforce needs over the next decade. This measure also would call on DHS to determine the feasibility, cost and benefits of establishing a cybersecurity fellow program to offer a tuition payment plan for pursuing undergraduate and doctoral degrees who agree to work for DHS for an agreed-upon period of time.
In congressional testimony just hours before this week's votes on the cybersecurity legislation, DHS's Schneck spoke of the role she sees DHS performing as a cybersecurity leader: "DHS represents an integral piece of the national work in cybersecurity. We are building a foundation of voluntary partnerships with private owners of critical infrastructure and government partners working together to safeguard stability. ... DHS forms a crucial underpinning for ensuring the ongoing protection of our infrastructures, services and way of life."