A House committee on Thursday approved by voice vote a bill that would overhaul federal cybersecurity laws to install a permanent cyber czar and chief technology officer, ensure continuous monitoring of networks, and do away with paperwork requirements that some said distracted managers from securing computer systems.
"This has truly been a bipartisan effort. This is a very good bill," said Rep. Edolphus Towns, D-N.Y., chairman of the House Oversight and Government Reform Committee.
The 2010 Federal Information Security Amendments Act (H.R. 4900) aims to bolster the government's defenses against cyberattacks that have grown in number and intensity since the original information security law was enacted almost a decade ago.
The proposal now heads to the House floor, where a vote is expected by mid-June, according to a Democratic leadership aide.
The bill would codify several Obama administration policies that many cybersecurity specialists say are key to fixing the 2002 Financial Information and Security Management Act. An April White House memo dictated that agencies begin by the fall to monitor electronically and continuously the security of their computers and to transmit monthly status reports to the administration. H.R. 4900 calls for constant, automated monitoring of IT systems to detect and respond to vulnerabilities. That differs from the existing FISMA practice of filing periodic paperwork that certifies networks are compliant with an array of security procedures.
Republicans and Democrats on Thursday agreed to a substitute amendment that would ensure procurement policies associated with cybersecurity do not discriminate against certain products and accommodate emerging technologies, said Rep. Diane Watson, D-Calif., who introduced the bill in March.
The Government Management, Organization and Procurement Subcommittee, which Watson chairs, initially approved the bill on May 5. Some industry groups raised concerns at the time about language requiring the government to issue a list of technologies, in order of priority, that agencies should use to automate security functions. Companies said the list would hastily choose winners and losers in a quickly evolving technology market and could stymie innovation.
"This is a mutually agreed to and completely vetted amendment," said ranking member Rep. Darrell Issa, R-Calif.
The bill also would establish a permanent director of cybersecurity and a CTO at the White House. President Obama used his regulatory powers to create the White House cybersecurity coordinator and CTO posts, now filled by Howard Schmidt and Aneesh Chopra, respectively. But he or any future administration can revoke the positions.
H.R. 4900 would demand agencies incorporate security requirements into IT contracts, rather than adding safeguards as separate investments. Federal Chief Information Officer Vivek Kundra testified in the spring before Watson's subcommittee that agencies should avoid attaching security as an afterthought, noting that IT investments are more effective when security is included by default.
The final bill does not contain language, proposed by a representative outside the committee, that would have granted the cyber czar budget authority and allow the official to recommend that the president deny awards and bonuses at agencies that fail to secure their IT infrastructures. Members, however, drew from the intent of that language, contained in a bill that Rep. Jim Langevin, D-R.I., introduced on May 6, to give the cybersecurity director's office the "options necessary to encourage and maintain accountability of any agency, or senior agency official, for efforts to secure the information infrastructure of such agency," Issa's office said.
In the coming weeks, Sen. Joe Lieberman, I-Conn., chairman of the Senate Homeland Security and Governmental Affairs committee, is expected to unveil a comprehensive cybersecurity bill that includes language similar to H.R. 4900.