Federal cyber strategy gets modestly clearer

Chris Bronk is a research fellow at Rice University’s Baker Institute for Public Policy and adjunct instructor of computer science at Rice.

The federal government’s cybersecurity strategy is a little clearer now, if just barely.

In the roughly eight years since it became law, the Federal Information Security Management Act has been buried with heaps of criticism from many groups, including the small legions of government employees and contractors compelled to fill out assorted spreadsheets and questionnaires for what has become a massive score carding effort.

As enacted, FISMA required federal agencies to do something — anything, really — to secure their information systems. It mandates that agencies send reports to the Office of Management and Budget and then receive feedback regarding their performance. The process became grossly simplified, with a focus on counting systems, determining their importance and then making some back-of-the-envelope calculations regarding risk.

With FISMA, OMB could, in theory, deny an agency funding if it failed to take adequate measures to secure its computer systems.

Down the street, then-Rep. Tom Davis (R-Va.) issued grades. For nearly a decade, the congressman from Northern Virginia published an annual report card via the former Government Reform Committee.

But it turned out that agencies with narrow responsibilities — the General Services Administration, Environmental Protection Agency and U.S. Agency for International Development — typically got high marks, while those with frighteningly critical missions, such as the Defense Department, often scored an F. But what did those scores mean? Nobody gave serious thought to punishing DOD for a computer security grade issued by some congressional committee.

All of that has led OMB, the cyber czar and the sponsors of more than two dozen cybersecurity-related bills that have wended their way through the 111th Congress to rethink how the federal government handles cybersecurity.

FISMA still does not cover the classified computer systems at DOD or the State, Justice, Homeland Security and Energy departments, nor does it cover the intelligence community, which falls under the purview of the National Security Agency. Classified information technology has all sorts of rules and processes that are mostly classified, so not much help there. The key question is: How is a federal agency supposed to improve its cybersecurity beyond sending a report to OMB once a year?

An answer of sorts has appeared. More than a year after his arrival at the White House, Cybersecurity Coordinator Howard Schmidt issued a memo with Peter Orszag, the soon-to-be-departing OMB director, in which the pair write, “Effective immediately, DHS will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA.”

According to the memo, that means DHS will oversee implementation and reporting, FISMA compliance, cybersecurity operations, and incident response. That last point is the big one. Until now, it hasn't always been easy to know whom to call if you’re dealing with a cyber incident at, for example, the Bureau of Labor Statistics. Not anymore.

The Orszag/Schmidt memo makes it clear that DHS will be handling big cyber problems at the government's unclassified level. Now the catch: When are agency heads supposed to call DHS? According to the memo, “All departments and agencies shall coordinate and cooperate with DHS.”

What isn’t clear is how agencies will undertake that coordination and cooperation. Those duties need to be sorted out — and soon.