The Executive Office of the President hasn’t submitted a FISMA audit since 2009.
When federal Chief Information Officer Tony Scott testified Wednesday before the House Oversight and Government Reform Committee to make the case for a $3.1 billion IT modernization fund, he faced a series of questions about the government’s archaic systems – some of which are more than 50 years old.
The most intense line of questioning, however, came from Rep. Mark Meadows, R-N.C., who pressed Scott on why the White House Executive Office of the President seemingly skirted annual cybersecurity reviews required under the 2002 Federal Information Security Management Act.
Meadows said the White House is required to submit annual cybersecurity reviews of its systems to Congress, called FISMA audits, but hasn’t done so since at least 2008.
Meadows was not pleased.
“The White House ... is required to submit them, but we can’t find where you’ve done them,” Meadows said. “Can you name a single year where OMB has submitted a FISMA report?”
Scott said his understanding was that the White House was not required to submit the reports under the law. Scott said he’d conferred numerous times on the issue with legal counsel.
“I’d suggest you go back and look,” said Meadows, who questioned the rationale that White House systems be exempt from basic cybersecurity reporting standards all other agencies must adhere to.
The issue first arose last year when two Senate committees wrote to President Barack Obama after Russian hackers breached the White House’s unclassified computer networks. The letter stated the White House last provided FISMA audit information in 2008.
Meadows said the White House’s decision not to provide FISMA audit information not only puts its systems more at risk, but sets a poor example for other agencies.
“Don’t you think it sets a bad example?” Meadows asked.
If the White House is required to do so under law, Scott acknowledged its noncompliance would “set a bad example.”
He added, “I will go back and check and get back to you.”