Legislation aimed at streamlining FISMA to improve information security processes and ease reporting burden on agencies.
A House subcommittee on Wednesday approved legislation that would make permanent the positions of federal chief technology officer and national cybersecurity director. An amendment, offered by Rep. Gerald E. Connolly, D-Va., to codify the CTO position was folded into H.R. 4900 following his year-long effort to pass a standalone CTO bill. President Obama used his regulatory powers to create the U.S. CTO job, filled by Aneesh Chopra, and federal cyber czar position, occupied by Howard Schmidt, but Obama or any other administration can easily eliminate the positions by writing new rules.
"To ensure that the chief technology officer can continue to improve federal use of technology in the future, we need to make this a statutory position," Connolly said on Wednesday.
Under the bill, the CTO would report directly to the president and focus on federal technology -- a departure from Chopra's current responsibilities, which mainly involve fostering private sector innovation. Chopra sits in the Office of Science Technology and Policy, where he reports to OSTP Director John Holdren, but has a direct line to Obama in his capacity as a presidential adviser.
The bill, which now moves to the full House Oversight and Government Reform Committee, is aimed at overhauling the 2002 Federal Information Security Management Act, whose implementation has been criticized for bogging down agencies with reporting requirements at the cost of shoring up systems. Schmidt and Federal Chief Information Officer Vivek Kundra in April rewrote FISMA regulations to lessen the reporting burden by automating the process through a Web portal that will collect live feeds from agency security management systems.
The legislation, sponsored by Rep. Diane Watson, D-Calif., chairwoman of the committee's Government Management, Organization and Procurement Subcommittee, would mandate that agencies use such automated monitoring to assess cyber threats. It also would bake security requirements into contracts to ensure that systems are protected at inception, rather added on later as an afterthought.
Industry group TechAmerica praised the panel for advancing the bill but said it cannot fully support the legislation because of a provision that prescribes the use of specific technologies.
"TechAmerica is concerned about your proposal for a prioritized list of technologies. Such a list can become quickly outdated, thereby risking the continued use of technologies that are obsolete, and it can have the unintentional consequence of hampering innovation," Phil Bond, TechAmerica president and chief executive officer, wrote in a letter to Watson.