House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., introduced the Federal Information Security Amendments Act last month. (Mark Wilson / Getty Images)
The House on Tuesday passed legislation that would require agencies to continuously monitor their networks for cyber threats and report any attacks to a central incident center.
The Federal Information Security Amendments Act, which passed unanimously, would update the government’s 13-year-old information security law and hold senior leaders accountable for their agencies’ cybersecurity.
The bill would ensure that agencies’ cybersecurity scores are tied to annual performance reviews of all managers, senior managers, Senior Executive Service personnel and political appointees.
“As technology continues to evolve, so will the sophistication and frequency of cyber attacks,” Rep. Darrell Issa, R-Calif., said in a statement. “Now is the time to update and strengthen our national cyber defense,” said Issa, who introduced the bipartisan bill last month.
Currently, cybersecurity reviews of federal IT systems are done annually. But the administration is nudging agencies to increase security reviews of their networks using automated tools and to report their security capabilities and shortcomings to the Department of Homeland Security.
The bill would direct agencies to:
Implement security programs approved by Office of Management and Budget. Today, OMB establishes cybersecurity metrics that agencies must measure and report, such as their ability to automatically scan and detect computers, servers and other hardware assets connected to their networks.
Mitigate risks associated with security incidents before substantial damage is done, and notify their inspector general and the designated government incident center.
Give their chief information officer authority and primary responsibility for developing, implementing and overseeing agencywide information security programs.
Lawmakers and administration officials have long agreed that the 2002 Federal Information Security Management Act (FISMA) needs updating to ensure agencies are monitoring and improving security regularly, as opposed to every few years.
House lawmakers passed another bill Thursday that would allow companies and federal agencies to voluntarily share and receive classified threat information with each other.
“I am very proud that so many of my colleagues were able to look past the distortions and fear-mongering about this bill, and see it for what it really is — a very narrow and focused authority to share cybersecurity threat information to keep America safe,” Rep. Mike Rogers, R-Mich., a co-author of the bill, said in a statement.
The Cyber Information Sharing and Protection Act passed the House by a largely bipartisan 288-127 vote. Ninety-two Democrats voted for the bill, including Rep. Jim Langevin, D-R.I., and Rep. Gerry Connolly, D-Va.
Connolly introduced an amendment to ensure cyber intelligence shared and retained under the bill would be used only for cybersecurity purposes.
A number of large federal contractors and trade groups, including the U.S. Chamber of Commerce, IBM, AT&T and Verizon support the bill. But some civil liberties and privacy groups, such as the American Civil Liberties Union, oppose it.
The White House has threatened to veto the bill because it “does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities,” according to a White House statement.
Caitlin Hayden, spokeswoman for the White House’s National Security Council, said in a statement that “we have long said that information sharing improvements are essential to effective legislation, but they must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies, and include targeted liability protections.”