Bill would put DHS in charge of all civilian networks

Thursday - 6/10/2010, 10:00am EDT

WFED's Jason Miller on the DorobekInsider

Click to hear the report

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

New legislation expected to be introduced today would give the Homeland Security Department broad new authorities and powers over federal civilian networks.

The bill, however, does not include a "kill switch" for private sector networks, as widely reported previously.

The legislation, Protecting Cyberspace as a National Asset Act of 2010, sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), would move the responsibility of civilian agency cybersecurity to DHS from the Office of Management and Budget, according to a summary of the bill obtained by Federal News Radio.

The responsibility to develop, oversee and enforce IT security throughout the federal government would fall to a new office in DHS, the National Center for Cybersecurity and Communications. A director confirmed by the Senate would lead the NCCC.

"Specifically, the director of the NCCC is responsible for providing agencies prioritized risk-based security controls that will mitigate and remediate vulnerabilities, attacks, and exploitations," the summary states. "In addition, this section requires the director of the NCCC to ensure agencies are in compliance with governmentwide policies and to review no less than annually whether agency information security programs are effective."

Along with the NCCC, the legislation also would create a White House Office of Cyberspace Policy, led by a director, who too would be confirmed by the Senate.

A Congressional source familiar with the legislation says the White House director and the NCCC director would form a policy and implementation team.

The source, who requested anonymity because the legislation hasn't been introduced yet, says the White House director would be accountable to Congress and have clearly defined responsibilities.

Among the responsibilities the bill gives the White House director of Cyberspace Policy are to review each agency's budget submission, develop regulations and standards for national information infrastructure and ensure cybersecurity policies safeguard privacy and civil liberties.

The bill comes as the House Defense Authorization includes a section that covers many of the same issues, and there are more than 40 other bills that address cybersecurity in some way.

Meanwhile, the NCCC director would take over the operational issues across civilian agency networks. It would be responsible for conducting red and blue team exercises to assess the strength of civilian agency networks.

"If the director determines through the operational evaluation that a federal agency is not in compliance with federal guidelines, the director, working in conjunction with the head of the agency, may direct implementation of corrective measures and mitigation plans," the summary states. "If the agency fails to take the directed corrective measures and this failure presents a significant risk to the federal information infrastructure, the director may direct the isolation of the agency's information infrastructure, consistent with the contingency or continuity of operations applicable to that agency, until the agency takes necessary corrective measures."

The NCCC director also would work with the private sector to issue interim final regulations establishing risk-based security performance requirements to secure critical infrastructure against identified cyber threats.

As part of the NCCC's work with the private sector, it would set cybersecurity requirements, which the private sector companies would choose the specific security measures to meet the requirements.

The source says DHS will not be able to mandate security measures, just set high level requirements. If the companies comply with the requirements, they would get liability coverage.

The bill also gives the President the ability to declare a national cyber emergency if attacks on specific types of critical infrastructure would cause a national or regional disaster.

The President would have to notify Congress of the emergency, why the existing security measures are deficient and what new things must be done to secure the networks.

The President would then require the director of the NCCC to issue emergency measures that would last only 30 days.

The source says this would be used only the most extreme circumstances and DHS or the White House would not be able to shut down private sector networks.

In addition to the NCCC and White House positions, the bill would create a Federal Information Security Taskforce, led by DHS and OMB.

The taskforce would include every agency's chief information security officer as well as those from the Defense Department and its services, representatives from the Office of the Director of National Intelligence, the National Institute of Standards and Technology, the Intelligence Community Incident Response Center, the Committee on National Security Systems and U.S. Computer Emergency Response Team.

"The Federal Information Security Taskforce will serve as the principal interagency forum for agencies to develop and share best practices for enhancing the security of their systems and networks," the summary states. "The Taskforce will be the vehicle through which the director of the NCCC establishes policies and guidelines to conduct operational evaluations [of agencies' computer networks] . In addition, the Taskforce will promote the development and use of standard performance measures for agency information security that are outcome-based, focus on risk management, align with business and program goals of the agency, measure improvements over time, and reduce burdensome compliance measures."