Measure could incorporate language that would link bonuses and awards to success at warding off computer system attacks.
A House committee as early as next week plans to vote on legislation that would overhaul federal cybersecurity by creating permanent cyber czar and White House chief technology officer positions, as well as possibly tying security performance to pay, Democratic aides said.
Democrats on the House Oversight and Government Reform Committee are negotiating with minority members on changes to a bill (H.R. 4900) that the Government Management, Organization and Procurement Subcommittee approved on May 5. The full committee intends to send a bipartisan bill to the House floor by Memorial Day, at the latest, Democratic aides said. Members also are examining the feasibility of adding pay-for-performance language contained in a separate bill introduced on May 6 by Rep. Jim Langevin, D-R.I., who is not a member of the committee.
The Democrats' bill, sponsored by subcommittee chairwoman Rep. Diane Watson, D-Calif., would codify the White House cybersecurity coordinator and CTO posts currently filled by Howard Schmidt and Aneesh Chopra, respectively, and make them subject to Senate confirmation. President Obama established both positions at the beginning of his term using his regulatory authority, but he or any future president could change the rules. Langevin's federal cyber measure (H.R. 5247), which already has bipartisan support, is like the Watson bill in that it also proposes to cement the cyber czar position within a separate White House office, but Langevin's bill would grant the czar budget authority.
Aides for committee ranking member Rep. Darrell Issa, R-Calif., confirmed Republicans are reviewing a number of bills related to federal cybersecurity, but could not publicly disclose the specifics of their conversations with Democrats at this time.
Lawmakers are dissatisfied with the current cybersecurity law -- the 2002 Federal Information Security Management Act -- because they say it demands too much reporting and not enough doing. Compliance with the law requires agencies to produce costly certification documentation and to focus on annual reports, instead of tracking incidents in real-time as they occur, critics said.
Langevin's bill would empower the cybersecurity director to review and approve all civilian agency budget items that pertain to the protection of information technology. In addition, it would allow the director to recommend that the president deny awards and bonuses at agencies that fail to secure their IT infrastructures.
Some Democratic aides said Langevin's proposal might interfere with IT oversight activities inside the Office of Management and Budget. Still, they said there is merit to the notion of linking funding to execution, and they added OMB's enforcement of security policies has been lacking. The concern, however, is that usurping OMB's budget authority for security purposes could impede the Obama administration's ability to manage the overall federal IT portfolio. Prioritizing cybersecurity could hamper other OMB technology initiatives, such as data center consolidation or holding contractors accountable.
Langevin spokeswoman Joy Fox said the congressman "is hoping to see legislation that creates the strongest national cybersecurity office as possible. This means having a director with direct oversight and budgetary authority. He looks forward to working with the oversight committee to achieve this goal."
OMB officials said it would be premature to comment on any pending cybersecurity legislation, but they look forward to working closely with Congress on a new, comprehensive approach to securing the government's digital infrastructure.
Other provisions in the Watson bill are consistent with the White House's recent cybersecurity tactics. The bill would mandate that agencies include security provisions in IT contracts rather than adding protections later in the system development life cycle. In March, federal Chief Information Officer Vivek Kundra testified before Watson's subcommittee that agencies should "not bolt on security afterwards," adding, "frankly, security investments are best when they are actually baked in to the systems that we're looking at and not where they are treated as discrete investments across the board."
In addition, the legislation would require live, automated reporting instead of the existing heavy paperwork. In April, Kundra's office issued a memorandum that requires agencies by the fall to begin digitally checking the security of their computer systems on a continuous basis, and by 2011 to feed summaries of this information to OMB on a monthly basis.
Tom Talleur, a former cyber criminal investigator at NASA's Office of Inspector General and the Defense Department, praised the concept of linking agency funding to IT performance.
"Fenced budget authority will work with a separate line item in agency budgets," said Talleur, who currently serves as a private consultant and adjunct instructor of forensic studies at Stephenson University. "We have this now with the IG budgets. I never had any trouble convincing OMB of our resource needs for our cyber crime program when I was at the NASA OIG."
But he said he opposes the concept of a Senate-confirmed cybersecurity director and CTO. "Previous cyber czars have been consultants and bureaucrats," he said. "We need professionals in these positions. If we politicize them, it will become a ticket-punching position for political hacks."
Some IT industry groups have commended Watson's efforts to expedite passage of a FISMA reform bill, but raised concerns about a proposal that calls for the government to develop a list of technologies, in order of priority, that agencies should use to automate security functions.
"We firmly believe that new services should be utilized by federal agencies, but a prioritized list would clearly identify winners and losers in a market that is dynamic, ever evolving and responsive to the latest demands," officials from TechAmerica, a trade association, wrote to Watson in a May 5 letter. "Such a list can become quickly outdated, thereby risking the continued use of technologies that are obsolete, and it can have the unintentional consequence of hampering innovation."
Democratic aides said the committee understands industry concerns that the present language might unintentionally restrict the use of emerging technologies, adding the committee will look at the issue.
The Senate also is working to update FISMA. Sen. Thomas Carper, D-Del., chairman of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, introduced companion legislation S. 921 last year. Full committee chairman Sen. Joe Lieberman, I-Conn., plans to incorporate Carper's proposals into a forthcoming comprehensive cybersecurity package, Lieberman aides have said.