Panel OKs bill that would increase cybersecurity oversight
The bill would require the administration to provide documents about each program’s legal justification and certifications of its legality
The Senate Select Intelligence Committee has approved a bill
that would require the president to notify Congress about existing and
new cybersecurity programs that involve personally identifiable
The bill, which also would fund some programs
for fiscal 2010, would require the administration to provide documents
about each such program’s legal justification, certifications of its
legality, concepts of operations, privacy impact statements, and plans
for independent audits or reviews of the program.
The requirements would apply to cybersecurity
programs involving PII in which an agency is the intended recipient of
e-mail messages or other electronic communication, with at least one of
these situations to apply:
- It uses another agency or department, such as the Homeland Security or Defense departments, to screen PII.
- The agency transfers PII to another agency or department for cybersecurity purposes.
- The agency transfers PII to an element of the intelligence community.
The committee said in its report
explaining the bill, dated July 22, that the measure's provisions
sought to set up a “preliminary framework for executive and
congressional oversight to ensure that the government’s national
cybersecurity mission is consistent with legal authorities and
preserves reasonable expectations of privacy.”
The committee said the requirements
intentionally exclude routine firewalls and antivirus programs that
could be considered cybersecurity programs. It also said the
requirements pertain to governmentwide cybersecurity programs.
“These types of programs pose challenging new
legal and privacy questions that make congressional and executive
branch oversight particularly important,” the report said.
Ben Bain is a reporter for Federal Computer Week.