Congress Strengthens Homeland Security's Cyber Role with FISMA Reform, Other Bills

Homeland Security Secretary Jeh Johnson testifies on Capitol Hill in Washington.

Homeland Security Secretary Jeh Johnson testifies on Capitol Hill in Washington. Evan Vucci/AP

A 2002 computer protection law finally gets an upgrade.

Lawmakers have sent a raft of cyber legislation to President Barack Obama's desk, breaking through a six-year logjam. No doubt congressional action was spurred on by escalating intrusions into government and contractor networks. 

In a move backed by the White House, but not necessarily all Pentagon hawks, each of the measures positions the Department of Homeland Security as head of governmentwide cyber operations.

Since 2002 – when only purported Nigerian royalty sent malicious emails – agencies have had to compile an annual booklet of checklists self-certifying systems are accounted for and secure. Various proposals to mandate real-time monitoring have had strong bipartisan support -- but not much urgency.

Then came disclosures about massive Chinese cyberspying, the Target breach and revelations of sophisticated penetrations at the departments of Energy and State, the Office of Personnel Management and the White House, just to name a few.

Now, Congress has cleared an update to the more than decade-old Federal Information Security Management Act, or FISMA.

The bill mandates “automated security tools to continuously diagnose and improve security." And it deputizes DHS to oversee governmentwide cybersecurity operations.  

A 2003 presidential directive designated DHS the "focal point" for cyber, but a lack of formal power interfered with the assignment. FISMA 2.0 cements into law recent executive actions that had DHS aiding agencies and the White House creating cyber policy. The legislation does not cover military and intelligence community systems.

“There’s strong authority within the Department of Homeland Security to assist agencies operationally in defense and, to me, that’s the most critical point of this – a unified front and defense across all agencies,” former Agriculture Department Chief Information Officer Chris Smith told Nextgov.

What the bill does not do is prescribe specific network surveillance equipment.

Currently, DHS is managing a $6 billion “Continuous Diagnostics and Mitigation” contract from which agencies choose various sensors and consulting services a la carte. In their bill, lawmakers recognize “that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.”

Securing that multiyear contract for automated monitoring technology is one feat that demonstrates Homeland Security’s readiness to take center stage, said Smith, who served as USDA CIO from January 2008 to April 2012.

“This takes it to the next level in terms of continuous monitoring -- continuous diagnostics and mitigation -- which is what we need because the threat is ever-changing,” he said.

The clarity and adaptability of the measure provides a path for agency CIOs to move forward in lockstep, said Smith, now vice president for technology at AT&T Government Solutions.

“Five years ago, there were a lot of agencies that I had to coordinate with -- one of them being DHS -- to make sure that we were building out our architecture and operational capabilities,” he said.

Other cyber-related legislation passed this week includes an effort to fast-track cyber hiring at DHS, which has struggled to compete with private sector and military pay packages. The new bill empowers DHS to set rates of basic pay for new recruits and provide additional compensation, benefits and other sweeteners. Defense Department components, including the National Security Agency, have been authorized to offer the same incentives for years.  

But some security analysts note DHS has misused cyber workforce perks in the past. In 2010, then-DHS Secretary Janet Napolitano said her department had been granted regulatory direct-hire authority to add 1,000 new cyber professionals over three years. However, department information technology managers manipulated that flexibility to hire people without cyber skills for regular IT roles.

In another nod to DHS' place at the national security table, Congress approved legislation that will permanently place the existing 24-hour National Cybersecurity and Communications Integration Center at the department. The facility shares intelligence on cyber threats across the public and private sectors.

DHS Secretary Jeh Johnson said in a statement on Thursday, “On behalf of the men and women of this department, I appreciate the bipartisan support by Congress for our cybersecurity mission.”