WASHINGTON, DC – Following a recent cyber-attack at the Office of Personnel Management (OPM) that compromised the personal information of at least 21.5 million Americans, U.S. Senators Dan Coats (R-Ind.), Susan Collins (R-Maine), Mark R. Warner (D-Va.), Barbara Mikulski (D-Md.), members of the Senate Intelligence Committee, and Kelly Ayotte (R-N.H.) and Claire McCaskill (D-Mo.), members of the Senate Homeland Security and Governmental Affairs Committee, today introduced bipartisan legislation that would bolster the Department of Homeland Security’s (DHS) authority to protect federal civilian networks.
“In recent years, cyber intrusions have grown in scope and scale, and the damage is alarming,” said Coats. “The breach of over 21 million federal employee records is the clearest indication yet that the federal government’s cyber defenses are wholly inadequate for today’s threat environment. This legislation would enable the federal government to get its own house in order by fulfilling the Department of Homeland Security’s mandate to protect the government’s networks. Today’s threats are too great to rely on each department and agency to protect their own networks, and recent evidence demonstrates that the status quo is unacceptable. It’s time for DHS to earn its title.”
While the Department of Homeland Security (DHS) has the mandate to protect the .gov domain, it only has limited authorities to do so. Currently, DHS does not have the authority to monitor the networks of government agencies unless it has permission from an agency. DHS also cannot regularly deploy countermeasures to block malware without permission.
This limited authority hinders the security of .gov information systems which — as evidenced by the recent OPM attack — contain highly sensitive personal data, such as Social Security numbers, home addresses, dates of birth, and in some cases, extensive background information of federal employees, retirees and contractors.
To fix this problem, the bipartisan Federal Information Security Management Reform Act of 2015 (FISMA Reform) takes five important steps to strengthen the security of the networks of our federal civilian agencies.
- This legislation would allow the Secretary of Homeland Security to operate intrusion detection and prevention capabilities on all federal agencies on the .gov domain.
- The bipartisan bill would also direct the Secretary of Homeland Security to conduct risk assessments of any network within the government domain.
- The bill would allow the Secretary of Homeland Security to operate defensive countermeasures on these networks once a cyber threat has been detected.
- The legislation would strengthen and streamline the authority Congress gave to DHS last year to issue binding operational directives to federal agencies, especially to respond to substantial cyber security threats in emergency circumstances.
- The bill would require the Office of Management and Budget to report to Congress annually on the extent to which OMB has exercised its existing authority to enforce government wide cyber security standards.
In addition, the legislation would require the Office of Management and Budget, which has existing authority to enforce cybersecurity standards, to report to Congress each year on how it is incentivizing federal agencies to implement robust cybersecurity standards.