Bill lays out stricter info security requirements for DHS

Conducting vulnerability tests against known cyberattacks and setting requirements for the CIO post would be part of a bill that fixes shortcomings in a federal security law.

A bill introduced in Congress this week would aim to tighten the lax computer security practices at the Homeland Security Department by requiring DHS to test its defenses against known cyberattacks and to set out stricter qualifications for cybersecurity positions, including the chief information officer.

Comment on this article in The Forum.Rep. Jim Langevin, D-R.I., introduced the 2008 Homeland Security Network Defense and Accountability Act (H.R. 5983) on Wednesday, almost a year after Congress held hearings on how vulnerable DHS networks were to cyberattacks and unauthorized users gaining access to database. At the time, Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, questioned former chief information officer Scott Charbo's commitment to securing DHS' networks and his ability to lead the effort.

The network defense and accountability act "raises the bar in terms of the qualification of people that would serve in cybersecurity positions, and requires stronger security protocols be put in place" at DHS, Langevin told Nextgov in an interview on Friday.

The bill also aims to correct what some security analysts say is a fundamental flaw in the 2002 Federal Information Security Management Act by requiring DHS both to test whether systems are compliant with security protocols and to assess its ability to defend networks DHS operates and those maintained by contractors against known cyberattacks.

"It's the first step in fixing the problem with FISMA," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md. "They'll need to answer the question, 'How well are we defending ourselves against known attacks?' That's a much more important question to ask [than what FISMA asks now]. All in all, we are losing information at a more rapid rate. New types of attacks are more sophisticated and are overwhelming our abilities to keep up."

Industry and other federal agencies, including the National Security Agency, will provide DHS with information on cyberattacks and threats that they've encountered so the department can test whether its networks are set up to successfully thwart the attacks.

The bill would work in tandem with FISMA, which uses certification and accreditationof systems as the primary means of measuring whether agencies are compliant with cybersecurity requirements. But FISMA does not address other cybersecurity practices that security professionals believe are more effective, such as vulnerability assessment. The bill also would complement other cybersecurity plans, including the Classified National Cyber Initiative, the details of which have been kept undisclosed by the Bush administration.

"This is not trying to trump the cybersecurity initiative," said Langevin, chairman of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "We're just trying to strengthen efforts within DHS. I'm not satisfied with the protocols around cybersecurity at the department. It's my hope that through oversight and partnering that eventually DHS will be a model for the world. But we have a long way to go to get there."

A DHS spokesperson declined to comment, saying the agency does not comment on pending legislation.

Under the bill, the Homeland Security CIO would be required to hire an incident response team to conduct vulnerability assessments on a regular basis for all connections to the Internet and any external network. That team also would provide continuous, real-time detection, investigation, response and containment of computer incidents that could pose a threat to information security or policy, as defined by the National Institute of Standards and Technology. The team would report incidents to department officials, as well as the U.S. Computer Emergency Readiness Team and maintain a current inventory of DHS' network architecture, including a diagram detailing how controls were positioned throughout the network to ensure security.

The bill also would require DHS to check if contractors had an information security policy that complied with department requirements for authentication, access control, risk management, intrusion detection and prevention, incident response, risk assessment, and remote access.

Langevin hopes to attract more experienced persons to the CIO position by laying out specific qualifications, including a demonstrated ability in and knowledge of information technology and information security, and requiring that candidates have no less than five years of executive leadership and management experience in IT security in the public or private sector.

"This raises the bar in terms of the qualifications of people that would serve in cyber security positions," he said. "They must have strong [IT] backgrounds and cyber experience. It's been my experience that the top people in cybersecurity at DHS don't always have the strongest cyber backgrounds. That needs to change."

Before the Bush administration appointed him CIO at DHS, Charbo had little experience in IT. While he served four years as CIO at the Agriculture Department, Charbo previously had worked as the head of the Office of Business and Program Integration in Agriculture's Farm Service Agency. He held numerous positions in the agriculture field, including president of mPower3 Inc., a ConAgra Foods company that provides information and solutions to the agriculture and food production communities. In February, DHS promoted Charbo to deputy undersecretary for the National Protection and Programs Directorate. Two months later, President Bush appointed Richard Mangogna, who worked with the IT consulting firm Mason Harriman Group, as DHS CIO. Mangogna also was CIO at JP Morgan Chase.

Once appointed, the CIO would have the authority to approve, implement, integrate and oversee all systems, as well as policies, procedures and funding relating to the management of information and the IT infrastructure, including the mission applications, information resources and personnel, according to the bill.

If passed, the bill would be effective immediately, and DHS would be required to provide a proposal for implementing its requirements within 90 days. As an authorization bill, no additional funds would be provided, and some aspects likely would be incorporated into existing initiatives, such as Einstein, a system that monitors agency networks using an automated process for collecting, correlating, analyzing and sharing computer security information with US-CERT.

When asked whether Congress will push for the bill's requirements to extend DHS governmentwide, Langevin said, "DHS and the protocols that they put in place under the legislation would be a model for other departments and agencies to follow. . . . This bill is not just about people; it's also establishing specific, necessary operation security practices."

"They ought to apply this to all agencies," SANS' Paller added. "It would be silly if the rest of government didn't step up to this bar."