DHS rules in White House cyber plan

The federal government's IT systems would be under the watchful eye of the Homeland Security Department under proposed legislation sent by the White House to Congress May 12. However, DHS would have only limited authority to oversee the security of privately owned critical infrastructure.

The proposal, which administration officials characterized as a starting point for discussions with Congress and industry, clarifies the DHS role as the lead cybersecurity agency with “primary responsibility within the executive branch for information security,” including the power to mandate policies and activities for government systems.

It also creates a regulatory framework for non-government critical infrastructure that requires owners and operators to develop security plans, and would establish a national requirement for notifying people of data breaches.

Related stories:

White House cyber plan would expand role of DHS, private sector

The plans would be evaluated by accredited auditors and reviewed by DHS. If found wanting, the DHS secretary would discuss the shortcomings with the operators and “take other action as may be determined appropriate.” This action would not include shutdown orders, fines or other monetary penalties or civil penalties, however.

Administration officials said the proposed regulatory framework is an acknowledgment that government does not have all of the answers and that cooperation is likely to be more effective than regulation.

The proposal will likely be reconciled with similar cybersecurity legislation that has been introduced in both the House and Senate.

One element not included in the White House proposal that has been included in other introduced bills is formal establishment of an executive branch cybersecurity officer. President Barack Obama has named Howard A. Schmidt as White House cybersecurity coordinator, but that position does not require Senate approval.

Rather, under the Obama plan, authority for coordinating and overseeing federal information security policy would be given to DHS, which will “develop and conduct risk assessments for federal systems and, upon request, critical information infrastructure.” The proposal would authorize the department to deploy and operate intrusion detection and prevention systems, such as Einstein, on government systems and give the department access to all government traffic.

The department also would establish a cybersecurity center to facilitate information sharing and collaboration among agencies, state and local governments, the private sector and international partners. The center would organize activities under a cybersecurity response plan and disseminate threat information. This essentially formalizes the role now played by the U.S. Computer Emergency Readiness Team.

Under the regulatory framework for critical infrastructure, the department would designate core critical systems whose disruption would pose a threat to the national security or economy, which would be required to maintain approved cybersecurity plans. DHS would “identify specific cybersecurity risks that must be mitigated to ensure the security of covered critical infrastructure; and review and designate frameworks to address such risks.”

The frameworks would be created in consultation with industry standards organizations and used to evaluate security plans. DHS would establish an accreditation for third-party evaluators that would assess the programs, which would then be approved by DHS.

Another requirement for the private sector would be data breach notification. The provision would replace the current patchwork of 47 state laws for notifying individuals when personally identifiable information has been lost, stolen or otherwise exposed.

The requirements would apply to organizations handling the personal information of at least 10,000 individuals a year, and they would be required to personally notify potential victims in the event of a breach, “unless there is no reasonable risk of harm or fraud.” This could be achieved by use of industry best practices and standards such as cryptography to protect the exposed files.

Notification, by mail, e-mail or telephone, would have to be made within 60 days unless a 30-day extension is granted by the Federal Trade Commission for further investigation, or the Secret Service or FBI decides notification would impede a criminal investigation. Companies also would have to notify the Secret Service, FBI and FTC of large breaches.

The FTC would enforce this section, although states would be able to bring civil action for violations.


About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Tue, May 17, 2011 slim

Sounds like more fed overreach - regulating critical infrastructure means there will be less of it (since the regulations measn it will be more expensive and more of a pain in the neck).

Mon, May 16, 2011

Hmm, there is a reason why continuous monitoring feeds are planned inputs into the Risk Management Framework. None of the current feeds into Cyber Scope take into account risk to mission, available resources or the fact that some data may be sneaker netted over and not be part of the network (ie mitagated). These risk considerations happen at the local level and looking at them at the federal level outside of the organization is just out of context. Secondly can anyone tell me why this mosaic of information on the highest federal vulnerabilities should not be held in a classified environment? This information should be on a need to know basis.

Mon, May 16, 2011

And just how would this new empire mesh with all the existing cybersecurity empires, especially DoD/NSA? It's all the same store. FedGov needs ONE agncy driving the train for everyone, or else everyone will keep proceeding merrily along their way.

Mon, May 16, 2011

Anyone ready for brown-outs?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above