COMMENTARY

Federal cyber strategy gets modestly clearer

Memo giving DHS the lead role on government cybersecurity answered some questions but raised others

Chris Bronk is a research fellow at Rice University’s Baker Institute for Public Policy and adjunct instructor of computer science at Rice.

The federal government’s cybersecurity strategy is a little clearer now, if just barely.

In the roughly eight years since it became law, the Federal Information Security Management Act has been buried with heaps of criticism from many groups, including the small legions of government employees and contractors compelled to fill out assorted spreadsheets and questionnaires for what has become a massive score carding effort.

As enacted, FISMA required federal agencies to do something — anything, really — to secure their information systems. It mandates that agencies send reports to the Office of Management and Budget and then receive feedback regarding their performance. The process became grossly simplified, with a focus on counting systems, determining their importance and then making some back-of-the-envelope calculations regarding risk.

With FISMA, OMB could, in theory, deny an agency funding if it failed to take adequate measures to secure its computer systems.

Down the street, then-Rep. Tom Davis (R-Va.) issued grades. For nearly a decade, the congressman from Northern Virginia published an annual report card via the former Government Reform Committee.

But it turned out that agencies with narrow responsibilities — the General Services Administration, Environmental Protection Agency and U.S. Agency for International Development — typically got high marks, while those with frighteningly critical missions, such as the Defense Department, often scored an F. But what did those scores mean? Nobody gave serious thought to punishing DOD for a computer security grade issued by some congressional committee.

All of that has led OMB, the cyber czar and the sponsors of more than two dozen cybersecurity-related bills that have wended their way through the 111th Congress to rethink how the federal government handles cybersecurity.

FISMA still does not cover the classified computer systems at DOD or the State, Justice, Homeland Security and Energy departments, nor does it cover the intelligence community, which falls under the purview of the National Security Agency. Classified information technology has all sorts of rules and processes that are mostly classified, so not much help there. The key question is: How is a federal agency supposed to improve its cybersecurity beyond sending a report to OMB once a year?

An answer of sorts has appeared. More than a year after his arrival at the White House, Cybersecurity Coordinator Howard Schmidt issued a memo with Peter Orszag, the soon-to-be-departing OMB director, in which the pair write, “Effective immediately, DHS will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA.”

According to the memo, that means DHS will oversee implementation and reporting, FISMA compliance, cybersecurity operations, and incident response. That last point is the big one. Until now, it hasn't always been easy to know whom to call if you’re dealing with a cyber incident at, for example, the Bureau of Labor Statistics. Not anymore.

The Orszag/Schmidt memo makes it clear that DHS will be handling big cyber problems at the government's unclassified level. Now the catch: When are agency heads supposed to call DHS? According to the memo, “All departments and agencies shall coordinate and cooperate with DHS.”

What isn’t clear is how agencies will undertake that coordination and cooperation. Those duties need to be sorted out — and soon.

 

About the Author

Chris Bronk is a research fellow at Rice University’s Baker Institute for Public Policy and an adjunct instructor of computer science at Rice. He previously served as a Foreign Service Officer and was assigned to the State Department’s Office of eDiplomacy.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.