FISMA Bill Drops in House Amid Confusion Over Federal CISO Role

UNITED STATES - JULY 11: Rep. John Katko, R-N.Y., leaves the House Republican Conference meeting in the Capitol on Wednesday, July 11, 2018.

UNITED STATES - JULY 11: Rep. John Katko, R-N.Y., leaves the House Republican Conference meeting in the Capitol on Wednesday, July 11, 2018. (Photo By Bill Clark/CQ Roll Call/POOL)

Rep. John Katko is continuing a campaign to make the Cybersecurity and Infrastructure Security Agency a central Chief Information Security Office—or CISO— for federal civilian agencies.

Members of the House Oversight and Reform Committee introduced legislation they hope will clarify the role of the federal chief information security officer by endowing the position with powers codified in statutes.   

The bipartisan bill, “clearly assigns federal cybersecurity policy development and oversight responsibilities to the Office of Management and Budget (OMB), operational coordination responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA), and overall cybersecurity strategy responsibilities to the National Cyber Director (NCD),” reads a summary the committee released Tuesday, noting it, “codifies the OMB Federal Chief Information Security Officer.”

That tracks with how current Federal CISO Chris DeRusha sees his role. But some lawmakers aren’t so sure how the divisions are carved and believe calls for the Cybersecurity and Infrastructure Security Agency to become a federal Chief Information Security Office stand to compound the confusion.

“We can't have 130 CISOs in the federal government. We need CISA to be that quarterback and that CISO,” Rep. John Katko, R-N.Y., said recently at an event hosted by the Silverado Policy Accelerator, a think tank co-founded by Dmitri Alperovitch, former chief technology officer for the cybersecurity firm Crowdstrike.

Alperovitch has been pushing for an expansion of CISA’s role into a federal chief information security office for at least a year, supported by current and former CISA officials.

“I think as [House Homeland Security Committee] ranking member Katko said, having 100 plus different CISOs all acting independently is not the correct model,” Department of Homeland Security Under Secretary for Strategy, Policy, and Plans Rob Silvers, said at the recent event. 

Silvers highlighted greater empowerment of CISA in areas like threat hunting and the deployment of endpoint detection and response, but it’s not always clear what counts as “operational” and “policy” domains and whether CISA or OMB are the ultimate authority. In the summer of 2020, for example, the agencies coordinated their release of a binding operational directive on vulnerability disclosure policies.

"The federal CISO position, just like the federal CIO position, is primarily focused on policy development and oversight for all federal civilian agencies. As such, it’s not going to be inside one agency, it's going to be at OMB, that's the way we're structured today,” former Federal CISO Grant Schneider, now senior director of cybersecurity services at the law firm Venable, told Nextgov. “So, in my opinion, you need to ask people for more clarity when they say things like, 'the CISO should be here' or 'it should be there.' I would ask questions around what roles and responsibilities and duties they think should be performed by each organization."

Corresponding FISMA reform legislation in the Senate does not mention the federal CISO role. Katko’s office did not respond to a request for comment.