Law Gives OMB Oversight of Fed Cybersecurity Practices

By Anne Gallagher, Contributing WriterLegislation approved by the Senate Government Affairs Committee gives the Office of Management and Budget new authority over federal agencies' cybersecurity practices, and puts them on notice to beef up their computer protection and be ready to prove it at annual audits.The Government Information Security Act (S. 1993), introduced March 23 by committee chairman Sen. Fred Thompson, R-Tenn., and ranking Democrat Sen. Joseph Lieberman of Connecticut, lays out a comprehensive framework for federal agencies to make their systems more secure.Specifically, the bill makes OMB responsible for oversight of government computer cybersecurity, Thompson said at the March 23 markup of the bill. For the first time, federal agencies will be held accountable for their cybersecurity, Lieberman said. Technology advancements are available to protect computer systems and networks better, and now the management changes will be made to implement those technologies, he said."The information systems in government are not as secure as they should be, because it is not a priority to make them secure," Lieberman said. The House Government Affairs Committee is working on comparable legislation, which should be out in draft form in upcoming weeks, congressional sources said.Lawmakers in both chambers have been working on this legislation to expand on the White House's call and promise of new funding to protect the government's computer systems and networks from attack."The president's plan is very general," calling only for better cybersecurity but without specific details, Thompson said.This new legislation puts OMB's deputy director of management in charge of monitoring all cybersecurity work at agencies, except for the Defense Department and Central Intelligence Agency, which deal with classified national security data. Those two agencies will be required to develop more stringent security policies and ensure those priorities are implemented, according to the bill.Meanwhile, the heads of federal agencies that are not related to national security, who will report directly to OMB, must "identify, use and share best security practices" and "develop an agencywide information security plan," the bill said. They also must ensure that the agencies' information security plans are practiced throughout all life cycles of information systems, it said.In addition, the bill requires all federal agencies to have an annual independent audit of their information security programs and practices to assess compliance with authorized requirements and to test effectiveness of information security control techniques.The bill includes initiatives to attract the best and brightest information technology talent through scholarships, fellowships and federal service agreements.Thompson believes the prospects for passing the legislation through Congress this year are good, despite a tight agenda because of upcoming elections. Recently, several committees have been exploring the problems of cybersecurity in the federal and private sectors, so there is widespread interest in the House and Senate to take legislative action sooner rather than later.Thompson said the bill should not be viewed as controversial, boosting its prospects for swift approval."Sen. Lieberman and I introduced something we could agree on and something that could pass this year," Thompson said.For example, the legislation steers clear of mandating that any specific technology solutions be used by agencies to address their cyberprotection needs. Information technology leaders urged the lawmakers in a series of hearings over the past few months not to dictate what technological solutions the government should use, Thompson said."We need to rely on private industry and adopt what techniques they have available," he said.Committee member Sen. Pete Domenici, R-N.M., said he is concerned the government agencies are not making use of all cutting-edge, high-tech advances that are becoming so rapidly available. Federal government procurement practices prevent the government from moving as fast as industry in the high-tech arena, Domenici said."I cannot imagine that the computer process at [the Federal Aviation Administration] is what it would be if it were a private business," Domenici said. "Has anyone looked at this?"In response, Thompson said that the annual independent audit reports will put pressure on the federal agencies to be accountable on their cybersecurity plans, pushing them to strive harder to keep pace with what is happening in the private sector."I would think these annual plans would call for more reliance on industry," he said.But Thompson also said agencies likely will face budget constraints that could impede their ability to keep pace with innovations in the private sector.