Bipartisan bill would update federal cybersecurity rules, responsibilities

The leaders of the House Oversight Committee on Tuesday introduced legislation meant to revamp federal cybersecurity rules and clarify roles and responsibilities of top officials. 

The bipartisan measure represents the latest in a long series of attempts by Congress to update the Federal Information Security Modernization Act since it was established in 2014. Policymakers have overall failed to keep pace with the government’s rapidly evolving digital security needs, especially in the wake of the SolarWinds breach that impacted at least nine federal agencies.

“Nation-state adversaries like Russia and China, as well as other threat actors, present a constant danger,” House Oversight Committee Chair Carolyn Maloney (D-N.Y.) said in a statement, adding that the legislation “elevates our federal cyber defenses to the next level, taking a cutting-edge and strategic approach to ensure federal IT systems can better prepare for and respond to today’s cyber challenges.”

Rep. James Comer (Ky.), the panel’s top Republican, said recent cyberattacks “make it clear we need a modern update to the federal government’s cybersecurity practices to better protect against, quickly fix, and deter future damaging digital intrusions that can harm our economy and impact Americans’ daily lives.”

The bipartisan bill would assign cybersecurity policy development and oversight responsibilities to the Office of Management and Budget (OMB). The Cybersecurity and Infrastructure Security Agency (CISA) would be in charge of operational coordination and the National Cyber Director would handle overall cybersecurity strategy. (Neither organization existed when FISMA originally became law).

The proposed legislation would also codify OMB’s Federal Chief Information Security Officer, which was created in 2016. President Joe Biden tapped Chris DeRusha, a former White House cyber adviser and Homeland Security Department cyber staffer in the Obama administration, to fill the role. He has also been named deputy national cyber director for federal cybersecurity.

In addition, the House bill would require federal agencies to keep inventories of all their internet-accessible information systems and assets, as well as all software.

CISA would also be tasked with searching for opportunities for organizations to share their digital services and technical assistance so that such efforts aren’t duplicated or stove-piped within the sprawling federal bureaucy.