FISMA Reform Heading to the White HouseCongress Passes Four Cybersecurity-Related Bills Note: This story has been updated to reflect the House passage on Dec. 11 of the Cybersecurity Workforce Assessment Act and legislation codifying the National Cybersecurity and Communications Integration Center.
The House on Dec. 10 and 11 approved four Senate-passed cybersecurity-related bills - one to reform the Federal Information Security Management Act, another to help the Department of Homeland Security recruit and retain qualified IT security personnel and a third to codify an existing cybersecurity and communications operations center at DHS. A fourth bill, the Cybersecurity Workforce Assessment Act, passed the Senate as a substitute amendment Dec. 10. The House passed the amended bill that would assess the future DHS cybersecurity workforce on Dec. 11.
The last time Congress enacted significant cybersecurity legislation was the passage of FISMA in 2002.
Known as the Federal Information Security Modernization Act of 2014, the FISMA reform bill would replace the requirement that federal agencies must file annual checklists that show the steps they've taken to secure their IT systems. Agencies, under the new law, instead would automatically continuously monitor their systems to assure their security.
FISMA reform also would codify the Obama administration action that elevated the Department of Homeland Security's role in getting other civilian federal agencies to comply with cybersecurity standards. The measure would retain the White House Office of Management and Budget's overall jurisdiction over federal government IT security.
DHS Deputy Undersecretary for Cybersecurity Phyllis Schneck told a Senate committee hours before the House passed FISMA reform that the bill would clarify and strengthen DHS responsibilities and allow the department to respond quickly to challenges such as Heartbleed, a vulnerability in the OpenSSL cryptographic software library. "Legislative action is vital to ensuring the department has the tools it needs to carry out its mission," Schneck says. "DHS had to go door to door securing authorization from federal entities to exercise our authority in responding to Heartbleed."
House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., sponsored legislation that passed the House last year to reform FISMA, but that bill wouldn't have granted DHS additional authority on cybersecurity. Although he opposed the Senate version of FISMA reform, he did not block its vote in the House.
Assessing DHS Cybersecurity Workforce
The other bill making its way up Pennsylvania Avenue, the Homeland Security Cybersecurity Workforce Assessment Act (not be be confused with the aforementioned Cybersecurity Workforce Assessment Act), was a rider on the Border Patrol Agent Pay Reform Act, legislation that authorizes overtime pay to U.S. Customs and Border Protection agents.
That measure would authorize the Homeland Security secretary to designate key, senior cybersecurity positions within DHS and to name individuals to those posts. The secretary also would set competitive pay, incentives and allowances for those positions comparable to similar jobs in the Department of Defense, which has a better history of attracting cybersecurity talent.
As important, the legislation would identify cybersecurity skills needed in DHS and assign each job with a skill code. Experts say such a system is needed to understand what skills are required and what type of jobs align with those skills. Otherwise, finding and retaining qualified staff becomes problematic.
"It is critical that the Department of Homeland Security has the authority to build a cyberworkforce that can respond to the evolving cyberthreats facing our nation today," says the bill sponsor, Sen. Tom Carper, D-Del., who chairs the Senate Homeland Security and Governmental Affairs Committee "This legislation will give the secretary of Homeland Security personnel authorities that will improve its ability to compete with the private sector and other agencies to hire and retain the people it needs to combat the cyberthreats our country faces."
The legislation also would direct the DHS secretary to identify cybersecurity work categories and specialty areas of critical need in the DHS cybersecurity workforce, and submit a report to the Office of Personnel Management director that describes such categories and areas and substantiates the critical need designations.
In turn, the measure would require the OPM director to furnish the DHS secretary with advice to identify cybersecurity work categories and specialty areas of critical need, including areas with acute skill and emerging skill shortages.
Diana Burley, a professor at George Washington University who has studied government IT security employment, says the legislation has limits in attracting and retaining qualified personnel. "Over the last several years, DHS has attracted some of the nation's leading cybersecurity experts," Burley says. "The challenge has been retaining them; keeping them from moving to lucrative and less bureaucratically cumbersome private-sector positions.
"This bill focuses on one aspect of recruitment and retention. However, stable leadership, the operational environment, and the organizational culture and climate are also important elements of the overall DHS talent retention strategy which must be addressed."
Congress Votes to Codify Cyber Integration Center
As the House passed the FISMA reform and the DHS workforce bills on Dec. 10, the Senate approved legislation to codify the existing cybersecurity and communications operations center at DHS known as the National Cybersecurity and Communications Integration Center. On Dec. 11, the House approved the bill. The center serves as a federal civilian information sharing interface for cybersecurity. The legislation would authorize the center's current activities to share cybersecurity information and analysis with the private sector, provide incident response and technical assistance to companies and federal agencies and recommend security measures to enhance cybersecurity.
"One of the best ways that we can defend against cyber-attacks is to encourage the government and private sector to work together and share information about the threats we face," says bill cosponsor Tom Coburn, R-Okla., ranking member of the Homeland Security and Governmental Affairs Committee. "By codifying DHS's cybersecurity information sharing center, this bill sets the stage for future legislation for cybersecurity information sharing that includes liability protections for the private sector."
Legislation to provide cyberthreat information sharing has stalled in the Senate and is not expected to pass this year.
Clarification: An earlier version of this story referred to the Cybersecurity Workforce Assessment Act as the Critical Infrastructure Research and Development Advancement Act. That had been the name of the bill until the Senate amended the measure on Dec. 10.