White House officially hands cyber oversight to DHS

The Homeland Security Department will, effective immediately, assume primary responsibility for making sure agencies comply with federal information security requirements, sidelining the Office of Management and Budget from administrative duties, according to a memo OMB and the White House cybersecurity coordinator released on Tuesday.

The memo is an attempt by OMB and the cybersecurity office to quiet calls from Congress to overhaul how the executive branch manages information security in federal government.

OMB Director Peter R. Orszag and White House Cybersecurity Coordinator Howard Schmidt issued a memo that outlines roles for OMB, the White House and DHS in ensuring federal agencies comply with the requirements of the 2002 Federal Information Security Management Act.

According to the memo, DHS will exercise primary responsibility for checking agencies' compliance with FISMA, including continuous monitoring of information systems' security. OMB, which previously oversaw most FISMA compliance, will be responsible for submitting the annual report to Congress, developing and approving the cybersecurity portions of the president's budget, overseeing agencies' use of funds, and coordinating with the White House on policy issues.

Schmidt will work with DHS to ensure agencies fulfill FISMA regulations and will coordinate cooperation among agencies.

"Everybody interprets things differently," Schmidt said on Thursday after a speech at a cybersecurity event in Washington hosted by the Armed Forces Communications and Electronics Association. "We are looking to make sure there is clarity out there on stuff the people need to be doing . . . to be secure, which makes [them] FISMA-compliant."

But one former federal chief information officer who is familiar with the government's cybersecurity issues and asked to not be named, believes the memo is a response to Congress' call for the restructuring of cybersecurity oversight in a number of bills.

"If it just restates existing policy, why does it include the 'effective immediately,' phrasing in two sections. If you look back on the history of OMB in such management matters, they usually are more focused on protecting their role and prerogatives than getting the right thing done overall," the source said, pointing to the establishment of a governmentwide chief information officer under the 1996 Clinger-Cohen Act and the creation of DHS. "This is an 'everything is fine here and just leave us alone' fig leaf to try to forestall Hill action."

Alan Paller, director of research at the SANS Institute, said the memo is significant because it quells any arguments that previous FISMA compliance, which he said focused too heavily on reporting, still applies.

The memo "was critically important because agencies and contractors were recalling and repeating old OMB guidance that supported the multihundred-million dollars wasted per year on report writing to meet the overly broad FISMA guidance," he said. "This memo says the shift to DHS guidance is OMB approved."