COMMENTARY

Federal cyber strategy gets modestly clearer

Memo giving DHS the lead role on government cybersecurity answered some questions but raised others

Chris Bronk is a research fellow at Rice University’s Baker Institute for Public Policy and adjunct instructor of computer science at Rice.

The federal government’s cybersecurity strategy is a little clearer now, if just barely.

In the roughly eight years since it became law, the Federal Information Security Management Act has been buried with heaps of criticism from many groups, including the small legions of government employees and contractors compelled to fill out assorted spreadsheets and questionnaires for what has become a massive score carding effort.

As enacted, FISMA required federal agencies to do something — anything, really — to secure their information systems. It mandates that agencies send reports to the Office of Management and Budget and then receive feedback regarding their performance. The process became grossly simplified, with a focus on counting systems, determining their importance and then making some back-of-the-envelope calculations regarding risk.

With FISMA, OMB could, in theory, deny an agency funding if it failed to take adequate measures to secure its computer systems.

Down the street, then-Rep. Tom Davis (R-Va.) issued grades. For nearly a decade, the congressman from Northern Virginia published an annual report card via the former Government Reform Committee.

But it turned out that agencies with narrow responsibilities — the General Services Administration, Environmental Protection Agency and U.S. Agency for International Development — typically got high marks, while those with frighteningly critical missions, such as the Defense Department, often scored an F. But what did those scores mean? Nobody gave serious thought to punishing DOD for a computer security grade issued by some congressional committee.

All of that has led OMB, the cyber czar and the sponsors of more than two dozen cybersecurity-related bills that have wended their way through the 111th Congress to rethink how the federal government handles cybersecurity.

FISMA still does not cover the classified computer systems at DOD or the State, Justice, Homeland Security and Energy departments, nor does it cover the intelligence community, which falls under the purview of the National Security Agency. Classified information technology has all sorts of rules and processes that are mostly classified, so not much help there. The key question is: How is a federal agency supposed to improve its cybersecurity beyond sending a report to OMB once a year?

An answer of sorts has appeared. More than a year after his arrival at the White House, Cybersecurity Coordinator Howard Schmidt issued a memo with Peter Orszag, the soon-to-be-departing OMB director, in which the pair write, “Effective immediately, DHS will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA.”

According to the memo, that means DHS will oversee implementation and reporting, FISMA compliance, cybersecurity operations, and incident response. That last point is the big one. Until now, it hasn't always been easy to know whom to call if you’re dealing with a cyber incident at, for example, the Bureau of Labor Statistics. Not anymore.

The Orszag/Schmidt memo makes it clear that DHS will be handling big cyber problems at the government's unclassified level. Now the catch: When are agency heads supposed to call DHS? According to the memo, “All departments and agencies shall coordinate and cooperate with DHS.”

What isn’t clear is how agencies will undertake that coordination and cooperation. Those duties need to be sorted out — and soon.

 

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Thu, Jul 22, 2010 Dan Philpott FISMApedia.org

Not sure how this memo clarifies responsibilities as it is an essentially open ended statement which transfers an ill-defined set of responsibilities from OMB to DHS. Previously it was well established who was responsible for what in FISMA, OMB managed and NIST wrote the technical guidance. OMB worked with DHS on some capabilities but the responsibility was firmly with OMB. Then the M-10-28 memo came along and listed some of what OMB and DHS would be responsible for but left the vast majority of what we knew to be in OMB's purview unmentioned. Beyond that the memo throws new cybersecurity coordinator oversight into the mix for good measure. As a fairly well informed observer of FISMA implementation in theory and practice I'm utterly flummoxed as to who does what now. What will the relationship between DHS and NIST be? Who approves new NIST documentation? What relationship will DHS have in developing guidance as it is not even a member of the JTFTI? Who drives adoption and new initiatives? How will DHS provide oversight to peer agencies FISMA compliance without any leverage or legislative authority? Does DHS have any authority or are they providing a report and advise function? What does "reviewing the agencies' cybersecurity programs" entail? Does OMB or DHS issue memos governing FISMA and Privacy reporting?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above