Revamping the 2002 Federal Information Security Management Act is urgently needed, some say.
Cybersecurity will be a top priority for the Republican-led House in 2011, but it is unknown when Congress will act on legislation to revamp an outdated federal cyber law, say aides to incoming GOP leaders.
Details likely will emerge when Mac Thornberry, R-Texas, the new vice chairman of the Armed Services Committee, speaks early in the next Congress about defending cyberspace, say information security experts. On Dec. 15, Speaker-designate John Boehner, R-Ohio, tapped Thornberry "to lead an initiative on cybersecurity that cuts across committee lines." Thornberry aides declined to comment on his agenda this week.
Critics of the current federal cybersecurity mandate, the 2002 Federal Information Security Management Act, say it forces agencies to spend time and money documenting efforts to comply with controls instead of executing them. The House in June agreed to reforms that instead would require automated continuous monitoring, demand federal contractors install security features at the start of system development, and empower a cyber czar to recommend the president withhold funding from noncompliant agencies.
The measures were included in a version of the National Defense Authorization Act that the House passed last spring, but a Senate compromise that cleared Congress on Wednesday deleted the FISMA overhaul.
Incoming House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., whose panel has jurisdiction over federal IT policies, supports the FISMA provisions, spokesman Frederick Hill said Tuesday night.
Federal cybersecurity "is a priority for the next Congress," he added. But Issa also has committed to granting inspectors general subpoena power, increasing scrutiny of federal financial management, bolstering the oversight of economic stimulus spending and revamping government IT contracting. "As far as where and when [cybersecurity] will fall in the timeline, it's too early to tell," Hill said.
The House Homeland Security Committee also could have a say in federal cybersecurity policy. Daniel Lungren, R-Calif., the new chairman of the panel's Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, wants cyber to be a priority early in the year, aides said this week. Committee members encountered jurisdictional problems with the Oversight panel this Congress when they wanted to act on a cyber bill that contained federal IT provisions. Lungren's office said it's too early to know when FISMA language will get a vote because the Oversight committee will have to consider it first.
Hill said, "There's certainly a number of committees that are interested in this. At this point, I'm not going to get into the conversations we are having with them."
Democrat Oversight member Gerry Connolly, D-Va., had sponsored a provision in the earlier defense measure that would create a permanent chief technology officer who would report directly to the president and coordinate federal IT efforts, including cybersecurity policies. Brian Bilbray, R-Calif., a former Oversight member, said he is interested in co-sponsoring the measure with Connolly in 2011.
"Members on both sides of the aisle agree that FISMA reform should be a high priority due to its national security implications," Bilbray said this week. "Since its inception FISMA has turned into a paperwork nightmare rather than a comprehensive strategy to protect federal information systems. We need a singular, cost-effective way to protect government information in cyberspace and I look forward to working with Congressman Connolly to achieve that."
Jim Langevin, D-R.I., co-chairman of the House Cybersecurity Caucus, expressed disappointment when lawmakers removed the federal cyber provisions from the defense policy bill and said he will push for passage in 2011.
"Our government is under attack every single day in cyberspace, yet we lack the coordination and strategy to properly defend ourselves or operate efficiently online," he said. "While there are many important provisions for the Department of Defense cyber efforts in this bill, the DoD already has the assets to begin addressing this crisis. The real challenges lie in securing our federal networks and developing a real comprehensive policy for addressing transnational threats as well as engaging international partners."
NEXT STORY Analysis: Cybersecurity's Double-Edged Sword