Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
Calls for Senate-confirmed cyber official revived
Monday - 7/11/2011, 8:06am EDT
By Jason Miller
Federal News Radio
House lawmakers are renewing their call for a Senate-confirmed White House official to be in charge of civilian agency cybersecurity policy.
The Obama administration's legislative cybersecurity proposal did not include such a position despite strong support from both chambers of Congress. Instead, the White House's bill gives the Homeland Security Department the operational and policy responsibilities while the Office of Management and Budget retains the budget authority.
"There are several provisions in the administration's proposal I would like to see strengthened," said Rep. Elijah Cummings (D-Md.), ranking member of the committee. "First, I hope we will consider the creation of a Senate-confirmable official with authority to set administrationwide cybersecurity policy. It is important that the official responsible implementing the Federal Information Security Management Act (FISMA) have the authority to task all civilian depts. And agencies with implementation of the federal security standards."
Rep. Jim Langevin (D-R.I.) echoed Cummings on this issue.
Langevin, who introduced bills over the last two years to create this position and update FISMA, said current cyber coordinator Howard Schmidt doesn't have the right authorities. Langevin praised Schmidt for the job he is doing.
"We need a strong director's position in the Executive Office of the President that is charged with protecting our federal cyber networks," he said. "I want to see that position strengthened and I want to see it be a Senate-confirmed position with strong authorities."
Langevin said the White House official would have a top line view of all cyber efforts across the government. Currently, neither Schmidt nor DHS have that ability.
"Just last year the White House last year moved further away from this model by moving OMB's oversight for federal security to DHS," he said. "While DHS clearly has the operational lead for protecting the .gov network, what authority do they have to oversee agency budgets and actually compel these important technical challenges be addressed? OMB could do it, but does DHS have that sufficient authority? I really question that."
OMB gave DHS more authority July 2010 over all civilian agency networks, FISMA implementation and other operational elements.
Greg Schaffer, the acting deputy undersecretary for the National Protection and Programs directorate at DHS, said OMB retains the budget authority to be the enforcement entity.
"The legislative proposal would consolidate the oversight responsibility with the operational responsibility that we have and move things in the direction that we would be given the authority to direct departments and agencies to take action to improve their security and deploy appropriate protections," he said.
But Langevin, Cummings and others said this set up isn't enough.
In fact, one of the major Senate cyber bills, sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), would create a Senate-confirmed cyberspace policy director in the White House.
The White House proposal is not a bill yet, but should one come to the House floor without the requirement for a Senate-confirmed cyberspace director, Langevin wouldn't hesitate to introduce an amendment.
"I'm hoping that ultimately the legislation proposed in the last Congress, which was passed as part of the National Defense authorization bill, including stronger authorities for the cyber coordinator, which would be a directors position, Senate-confirmed and stronger authorities, I want to see that legislation passed," he said. "If there is another vehicle for adding a Senate-confirmed position with strengthened authorities, I would certainly consider that."
The Senate-confirmed White House official was one of two areas committee members focused on that was not in the administration's proposal.
Rep. Jason Chaffetz pressed Schaffer on the security of commercial hardware and software, and whether there have been instances of developers planting malicious code in the technologies.
Schaffer said he's aware of instances where this has happened.
"This is one of the most complicated and difficult challenges we have," he said. "The range of issues goes to the fact that there are foreign components in many U.S. manufactured devices. There's a task force that DHS and DoD co-chair to look at these issues with goals to identify short term mitigation strategies and also to make sure we have capability to maintain U.S. manufacturing capabilities over the long term."
Chaffetz said the concern is the agencies and the public don't know foreign developers are planting viruses and backdoors into software and hardware, and the government already has felt the effect of these attacks.