Senate security bill would put burden on contractors

An ambitious bill introduced last week in the Senate aims to improve cybersecurity in federal government by laying new responsibilities on contractors in the areas of training, procurement and technical standards.

The measure, one of two cybersecurity bills that Sens. John Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) introduced last week, would require the licensing and certification of anyone providing cybersecurity services to a federal agency or information system or network designated as critical infrastructure. The Commerce Department would determine those requirements.

Some observers point out that many other professions require extensive licensing and certification.

Alan Paller, director of research at the SANS Institute, said it will be important to determine to whom the certification requirements should apply. For example, Paller said people with jobs that involve managing systems have large responsibilities for cybersecurity, even through they are not necessarily considered security professionals.
 
James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program, said the certification proposal would require people to show they have the necessary training and knowledge. That would be part of what he sees as an ongoing effort to nudge the information technology industry to greater maturity. 

The legislation would also call for the development of validation standards for software purchased by government. Lewis said reform in the procurement process is widely seen as a way to encourage better cybersecurity.

Experts, federal officials and industry remain fixated on the Obama administration’s ongoing 60-day cybersecurity review, which is expected to lead to a new cybersecurity strategy that involves government and the private sector.

John Stewart, chief security officer at Cisco Systems, said government and industry need to be mindful of the speed with which the IT industry changes. 

“If we codify something that doesn’t have elasticity in it, or by the way gets highly prescriptive, what we’ll end up doing is solving a moment in time to a one degree and then not be able to adapt to the next moment,” Stewart said. 

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • People
    Dr. Ronny Jackson briefs the press on President Trump

    Uncertainty at VA after nominee withdraws

    With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.