Agency Cybersecurity Waivers Would Face New Time Limits, Oversight Under New Bill

With a new proposal that would require federal agencies to get permission from the Office of Management and Budget to opt-out of implementing specific cybersecurity practices— encryption of sensitive information and multifactor authentication—Sen. Ron Wyden, D-Ore., and Rep. Lauren Underwood, D-Ill., are challenging the status quo in cybersecurity policy.

“To secure our nation’s infrastructure, we must prioritize that federal agencies are adhering to the best cybersecurity practices,” Underwood, the new chair of the Committee on Homeland Security’s subcommittee on cybersecurity, infrastructure protection and innovation said in a press release of the bill’s introduction. “I’m pleased to join Senator Wyden to introduce this timely legislation.” 

The generally accepted theory in U.S. cybersecurity policy centers on risk management and the idea that because there are limited resources and variations in system designs and functions, each entity must decide for itself where and how to focus its protection efforts. 

The National Institute of Standards and Technology’s 2013 cybersecurity framework is at the heart of this. It references a host of security controls, but federal agencies, which are required to use the framework, are able to choose which of those controls they should implement according to the plans they design for themselves.

In the wake of the breach of the Office of Personnel Management—where the exposure of sensitive data of over 22 million people could have been avoided if the files were encrypted—lawmakers tried to take a more granular approach. 

They passed the Federal Cybersecurity Enhancement Act of 2015, which mandated that agencies identify their sensitive data and implement specific controls to limit access to it.  

“The consequences of the cyber attack on the Office of Personnel Management, for example, will not likely be fully known for years,” lawmakers said at the time. “[This] bill mandates several cybersecurity controls—including two-factor authentication and encryption for sensitive systems.” 

But, true to the conventional wisdom of risk management, the bill included significant exceptions. Agencies could avoid the mandates as long as their leaders or a designated official self-certified to the appropriate congressional committees that they were overly burdensome, for example.   

The new bill from Wyden and Underwood, the Federal Cybersecurity Oversight Act of 2020, would amend the 2015 law requiring agency heads to apply to the director of the Office of Management and Budget for such exemptions. There would also be reports to Congress on the nature of the waivers, which would be limited to one year.

Recent years have also seen other policymakers, including those at the Federal Trade Commission, move from relying on precedent for what qualifies as reasonable security to specifically identifying and requiring practices like encryption and multifactor authentication as part of that. 

Wyden has a reputation for technical savvy and a history of specifically supporting encryption and two-factor authentication.

“Lax cybersecurity at federal agencies needlessly exposes Americans to privacy and security threats, while putting our national security at risk,” he said in the release. “The Federal Cybersecurity Oversight Act would prevent civilian agencies from punting cybersecurity down the road indefinitely, leaving Americans’ data open for attack from hackers and foreign spies.” 

He also shared a little more about how the new bill came together with Underwood.

“Between Congresswoman Underwood’s excellent track record, her position as chair of the cybersecurity subcommittee and our shared background advocating for seniors before coming to Congress, it was a no-brainer to partner with her to strengthen the security of government systems,” he told Nextgov.