House FISMA Reform Would Empower Federal CISO With Budgeting Authority

Lawmakers in the House are considering legislation that would codify the role of the federal chief information security officer and endow the position with the power to shape the budgets of federal agencies.

The role of the federal CISO emerged out of memos issued by the Obama administration. And while there is confusion among some lawmakers regarding budget oversight under the jurisdiction of the position, the federal CISO doesn’t officially have a say in the process of approving budget requests federal agencies make every year through the Office of Management and Budget.  

“I got to participate in those processes, but I think it was largely relationship based, and I certainly didn't have an explicit approval authority,” former federal CISO Grant Schneider told Nextgov.

Schneider, now senior director of cybersecurity services at the law firm Venable, testified before the House Oversight and Reform Committee Tuesday on efforts to update the Federal Information Security Modernization Act of 2014.

“Codify the role of the federal chief information security officer as a presidentially appointed position within the Office of Management and Budget with appropriate budget and oversight authorities including approval of [the Cybersecurity and Infrastructure Security Agency]’s budget, and approval of agency cybersecurity budgets,” told the committee.

A discussion draft of legislation the committee released in advance of the hearing comes pretty close, calling for the presidential appointment and for the federal CISO to be a deputy to the national cyber director. Duties under the position would include, among other things, ‘the formation and issuance of recommendations to agencies on resource allocations and policies” and “reviewing annual budget proposals and making related recommendations,” according to the draft.   

In October, National Cyber Director Chris Inglis beat Congress to the punch. He appointed Federal CISO Chris DeRusha to be his deputy, saying the move should not be interpreted as a statement on their respective powers to make cyber budgeting decisions or a subjugation of DeRusha’s authorities. 

But Schneider said any federal CISO would likely be relying more on their personality right now than any authority over the budgeting process. 

“There's no direct authority for [the federal CISO] in the budget process,” he told Nextgov following the hearing. “So it comes down to the CISOs ability to influence and impact those budget requests right now. He may have the perfect relationships, but [whether] it's institutionalized,” matters.

Corresponding legislation to update FISMA that cleared the Senate Homeland Security and Governmental Affairs Committee in October does not mention the federal chief information security officer. But lawmakers in the House and Senate have expressed a commitment to working together.

“Our bill contains key similarities to its companion legislation in the Senate, which was introduced by our counterparts, Chairman Gary Peters and Ranking Member Rob Portman. I applaud their bipartisan leadership on this critical issue,” said House Oversight and Reform Committee Chairwoman Carolyn Maloney, D-N.Y. “We are committed to perfecting the bill together, and I’m confident that today’s hearing will help our bipartisan, bicameral coalition get this priority across the finish line this year.” 

Among other things, the House and Senate proposals would both change the time federal agencies have to report a major incident to Congress from 7 days to 72 hours. 

“Chairman Peters appreciates the work of the House committee,” a Peters aide told Nextgov. “Their discussion draft was released this morning and we are still reviewing all the changes that have been proposed. We look forward to working with the Committee on Oversight and Reform on a version of the bill that can become law.”