House Panel Wants to Give Agency CIOs Authority to Crack Down on Personal Email Use

Lawmakers on Tuesday advanced legislation that would let federal agencies stop employees from accessing personal email and other online programs or using personal devices for security purposes -- without consulting unions. 

The measure stems from recent incidents at the Department of Homeland Security and the Office of Personnel Management, where labor groups fought efforts there to shut off personal email access.

The American Federation of Government Employees filed a grievance against DHS Immigration and Customs Enforcement in 2014 for blocking webmail, and the Federal Labor Relations Agency sided with the union. When OPM in July locked employees out of Gmail, Facebook and other social networks after a massive background check hack, the union threatened to sue.

The Federal Information Systems Safeguard Act, approved by the House Oversight and Government Reform Committee, is meant to overturn the 2014 FLRA decision. The proposal would grant agency heads “sole and exclusive authority" to take actions that will bolster federal networks, without allowing unions a chance to bargain. 

The panel's top Democrat condemned what he said is a broad brush measure that could violate all manner of laws. The bill lets an agency "take any action" it determines is needed to reduce security weaknesses.

"No matter what you believe about blocking employee access to email, this bill goes so far beyond that it loses the point," Rep. Elijah Cummings, D-Md., said earlier in the day, in a statement opposing the legislation. 

After a nearly party-line vote, Cummings aide Jennifer Werner told Nextgov that Democratic members believe agencies already possess all the authority necessary to secure federal systems and merely need to discuss the execution of those decisions with federal employee representatives. 

Cummings, in his statement, said the proposal could open the door for any number of legal abuses in the name of security. 

"Could 'any action' mean violating the Privacy Act?" he put forward. "Could 'any action' mean an agency can avoid required reports to Congress on cybersecurity?

The American Federation of Government Employees in a Jan. 11 letter urged the committee to reject the bill. 

The legislation "would allow an agency’s information technology policy to supersede already existing collective bargaining agreements," Jacqueline Simon, the union's acting legislative director, said in the letter. "Federal agencies should not have unbridled authority to punish federal employees for any use of agency IT systems."

Committee Republicans say the current labor board ruling sets a dangerous precedent for information security.

“If agency directors are obstructed from taking immediate action to protect employees’ information without first going through collective bargaining, federal agencies are more vulnerable to attack,” Chairman Jason Chaffetz, R-Utah, and bill sponsor Rep. Gary Palmer, R-Ala., said in a Feb. 24 Washington Times op-ed. “Putting collective bargaining rights above security is preposterous.”

Chaffetz’s Senate counterpart has previously voiced support for letting departments have the ultimate say-so over restricting personal use of IT for security purposes.

At a Feb. 4 confirmation hearing for the new OPM director, Beth Cobert, the acting director, testified she cannot access her personal Gmail from her OPM computer.

"That's the way a lot of threats come in," she told Homeland Security and Governmental Affairs Committee members. "We all need to change the way we interact, the way we use systems at work and at home."

Committee Chairman Sen. Ron Johnson, R-Wis., agreed with Cobert, adding such IT actions, "should really be left up to the administration, not necessarily in negotiation with the union."

(Image via kpatyhka/Shutterstock.com)