DHS has slightly reduced role in Langevin’s cybersecurity bill

Langevin

A spokesman for Rep. Jim Langevin, D-R.I., has just contacted LastWatchdog to point out that Langevin’s cybersecurity bill, which is the major comprehensive one in the House, is not exactly the same as the White House proposal.

The major difference is that Langevin’s bill calls for a  National Office for Cyberspace with the Office of the President to oversee the security of agency information systems and infrastructure. While the Langevin bill entrusts the Department of Homeland Security with a  significant role, this is a bit different than the White House and Senate versions, which basically center everything in DHS.

Here is a  summary of Langevin’s proposed cybersecurity  legislation, much of which passed the House last year and was held up because the Senate was planning to cover even more ground in its own bill, but that never got done:

Executive Cyberspace Coordination Act of 2011, sponsored by Rep. Jim Langevin, D-Rhode Island

Background

In 2011, the CSIS Commission on Cybersecurity for the 44th Presidency released their second report with recommendations to increase the Federal government’s ability to protect itself and the American public from increasing cyber threats. Similar to the first report released in 2008, the second edition continues to recommend that the White House take a leadership role and direct national strategy for cyberspace; the public sector enlist the help of the private sector in providing better quality software; and the American public be better engaged in what was previously a private discussion about the digital threats that could disrupt their everyday lives. The second report notes that after two years, the only significant progress has been the extent to which the American public is discovering the profound effects of the internet on their daily lives, and the importance of government efforts to ensure the safety of our networks.

Many in both the government and private sector are frustrated with the pace of progress in cybersecurity. Analysts and senior officials in Washington talk about a “cyber 9/11″ scenario, reflecting a belief that as a nation, we will be unable or unwilling to take any meaningful action on cybersecurity until after a catastrophic event. The Executive Cyberspace Coordination Act of 2011 will update our nation’s federal cyber policy and bring strong cyber protections to our nation’s power grid and other critical infrastructure.

National Office for Cyberspace

The bill establishes a National Office for Cyberspace (NOC) within the Executive Office of the President to coordinate and oversee the security of agency information systems and infrastructure. This office will have strong budgetary oversight powers that are backed by financial pay-for-performance authorities, while remaining accountable to Congress. Federal agencies will be responsible for reporting on their information security threats, practices and history to the NOC before submission of their budgets to OMB. The Director of the NOC would be appointed by the President, subject to Senate confirmation, and will also have a seat on the National Security Council. This will allow the Director to review agency information security budgets and make recommendations back to the Agencies as well as the President.

Increased coordination for Departments of Defense and Homeland Security

Recognizing the need for closer cooperation between the Departments of Defense and Homeland Security, the bill brings both agency partners to the table to better coordinate their resources but under the appropriate authority of the Office of the President.

Closing Gaps in Authority to Protect Critical Infrastructure

Homeland Security Presidential Directive-7 provides authority to the Secretary of Homeland Security to coordinate the protection of critical infrastructure. This bill clarifies this authority to include the creation, verification, and enforcement of measures with respect to the protection of the information systems that control critical infrastructure. This does not give DHS control over private systems, but it allows them to establish risk-informed security practices and standards for critical infrastructure.

Secure Federal Acquisition Policies

The bill requires the development of secure acquisition policies to be used in the procurement of information technology products and services, including a vulnerability assessment for any major system and its significant items of supply prior to development.

Establishing Cyber Challenge Programs for Students

Given the great deficiency of advanced cybersecurity capabilities in today’s workforce, it is imperative that the government support educational programs designed to engage students in the skill sets that they will need to keep our country competitive and safe online into the future.

Enhancing the Public Private Partnership for Critical Infrastructure

The bill requires DHS to work with the Department of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.

Agency Annual Independent Audit

The bill requires agencies to obtain an annual independent audit of their information security programs to determine their overall effectiveness and compliance with FISMA requirements. Audits would also be required of contractors responsible for managing agency systems or programs on their behalf.

Agency Automated and Continuous Monitoring

This legislation sets forth requirements for agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency’s information technology assets. These activities are intended to move agencies away from current manually intensive, compliance focused, periodic assessments.

Enhancing the Public Private Partnership for Critical Infrastructure

The bill requires DHS to work with the Department of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.