A cyber bill worth enacting

We have routinely supported those who call for the overhaul of the Federal Information Security Management Act and highlight the need for more effective, real-time situational awareness in securing federal information systems. So the long-awaited cybersecurity bill (S. 3480) introduced in the Senate June 10 by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Thomas Carper (D-Del.) is welcome news — and an important milestone that should draw cheers from many quarters.

The 2010 Protecting Cyberspace as a National Asset Act stands out among a recent flurry of congressional efforts to address national cybersecurity, in part for what the bill proposes and what it does not and because of its probability of being enacted.

The legislation, among other measures, would create a White House Office of Cyberspace Policy, led by a Senate-confirmed director, to oversee all federal cybersecurity efforts. It also would create a National Center for Cybersecurity and Communications at the Homeland Security Department to defend .gov networks and oversee the defenses of the nation’s most critical infrastructure. 

FISMA reform would elevate White House’s cyber authority

Consensus is growing for reform of flawed FISMA

Less visible but equally important, the legislation would set up a more clearly defined framework for government and the private sector to develop a baseline of security requirements that DHS would enforce for that infrastructure. It would provide DHS much-needed help in building its cyber workforce. 

The bill also recognizes the role federal procurement can play in getting vendors to do their part in the cyberspace ecosystem by focusing new attention on the potential vulnerabilities in the global supply chain — by requiring language in actual contract specifications, not just the Federal Acquisition Regulation, that addresses the integrity of products delivered to the government.

And it would at last do away with a central flaw of FISMA, by removing the outdated manual reporting requirement that wastes, by some estimates, $500 million every year, and replacing it with a requirement to move toward continuous automated monitoring and a foundation for dynamic cyber defense.

One provision of the bill, not surprisingly, has stirred up vocal concern in industry because it would give the president sweeping authority to order companies to take specific security actions to protect private networks from possible cyberattacks.

The concern is that government is too slow to respond and shouldn’t be telling the private sector how to manage its risks. Admittedly, DHS still has a way to go to prove itself. But the bill would actually help DHS better execute its charge to coordinate the situational awareness and forensics activities needed to respond to national cyberattacks. The intent of the legislation is to isolate catastrophic threats. That should actually provide incentives for key industry players to work more closely with DHS for the greater good, which is what this bill is about and why it deserves to reach the president’s desk and become law.