A new bill introduced in the House and Senate by two recognized congressional cybersecurity leaders would push Federal agencies to further adopt cybersecurity best practices by making it more difficult to obtain waivers under the Federal Cybersecurity Enhancement Act of 2015.
The Federal Cybersecurity Oversight Act, introduced in the House by Rep. Lauren Underwood, D-Ill., and in the Senate by Sen. Ron Wyden, D-Ore., would require federal agencies to obtain waivers from the Office of Management and Budget (OMB) on an annual basis for the requirements under the 2015 bill – a step up from “the ability [for federal agencies] to issue themselves blanket, indefinite waivers,” as described in a press release. Rep. Underwood and Sen. Wyden both sit on the congressional committees that receive reports on these waivers from critical agencies about cyber incidents.
The provisions that would require a waiver from OMB include:
- Identifying sensitive and mission-critical data and cybersecurity vulnerabilities;
- Assessing access controls and storage of mission-critical and sensitive data;
- Encrypting mission-critical data;
- Implementing a single sign-on platform developed by the General Services Administration; and
- Implementing identity management and multi-factor authentication for remote access and accounts with elevated privileges.
To obtain a waiver, federal agency heads must certify that implementation would be excessively burdensome, unnecessary to secure agency data, and that all necessary steps have already been taken.
“The Federal Cybersecurity Oversight Act will identify cybersecurity vulnerabilities, strengthen federal cybersecurity standards and facilitate congressional oversight to protect federal websites, confidential data, and other critical systems from attacks,” said Rep. Underwood.
“Lax cybersecurity at federal government agencies needlessly exposes Americans to privacy and security threats, while putting our national security at risk. The Federal Cybersecurity Oversight Act would prevent civilian agencies from punting cybersecurity down the road indefinitely, leaving Americans’ data open for attack from hackers and foreign spies,” said Sen. Wyden.
The bill will go to the Senate Homeland Security and Governmental Affairs Committee and the House Committee on Oversight and Reform for consideration.