August 14, 2015
The House and Senate were in recess this week.
DHS Cybersecurity Announcements
Department of Homeland Security (DHS) Secretary Jeh Johnson announced this week that he was elevating the National Cybersecurity and Communications Integration Center (NCCIC) within the Department’s structure with an incident reporting line directly to the Secretary. Johnson also directed the National Protection and Programs Directorate (NPPD) to develop a reorganization plan that will ensure that the NCCIC is focused on strengthening DHS’ operational capabilities for mitigating and responding to cyber incidents. As part of this reorganization, Dr. Andy Ozment, Assistant Secretary of the Office of Cybersecurity and Communications, assumed overall and direct responsibility for the NCCIC, and John Felkner, formerly the Director of Cyber and Intelligence Strategy for HP Enterprise Services, joined DHS as the new NCCIC Director of Operations. Felker replaces Larry Zelvin, who departed last summer.
And earlier this month, Secretary Johnson tasked his Homeland Security Advisory Council (HSAC) to establish a subcommittee entitled Cybersecurity Subcommittee. A notice in today’s Federal Register announced that the subcommittee was officially established. The Cybersecurity subcommittee will provide actionable findings and recommendations to the HSAC on best practices sourced from industry, state and local government, academic experts, and community leaders. It will also address the following: (1) Identify the readiness of the Department’s lifeline sectors to meet the emerging cyber threat and provide recommendations for building cross-sector capabilities to rapidly restore critical functions and services following a significant cyber event; and (2) How can the Department provide a more unified approach to support State, Local, Tribal and Territorial cybersecurity? The subcommittee’s findings and recommendations will be submitted to the HSAC for their deliberation and vote during a public meeting. Once the report is voted on by the HSAC, it will be sent to the Secretary for his review and acceptance.
CBO Report on Eliminating Budget Control Act Caps
The Congressional Budget Office (CBO) released a report this week that concludes that eliminating the Budget Control Act of 2011 caps on discretionary budget authority for FY16 and FY17 would make GDP larger than predicted under current law and increase full-time-equivalent employment. The report, “The Macroeconomic Effects of Eliminating Automatic Reductions to Discretionary Spending Caps,” was requested by Sen. Bernie Sanders (I-VT). Fully eliminating the automatic reductions would allow for an increase of $90B in FY16 and $91B in FY17. In FY16, CBO estimates that elimination of the caps would make real GDP 0.4% larger and would increase full-time-equivalent employment by 0.5 million. In FY17, the results would be smaller as CBO estimates that elimination of the caps would make real GDP 0.2% larger and would increase full-time-equivalent employment by 0.3 million. CBO warns, though, that while eliminating the reductions to the spending caps for FY16 and FY17 would increase output and employment over the next few years, the resulting increases in federal deficits would, in the longer term, make the nation’s output and income lower than they would be otherwise.
NIST Proposed International Cybersecurity Standards
The National Security Council’s (NSC) Cyber Interagency Policy Committee’s International Cybersecurity Standardization Working Group drafted a report that sets out proposed US Government strategic objectives for pursuing the development and use of international standards for cybersecurity, and makes recommendations to achieve those objectives. The Cybersecurity Enhancement Act of 2014 requires the Director of the National Institute of Standards and Technology (NIST) to work with relevant Federal agencies to ensure interagency coordination “in the development of international technical standards related to information system security,” and develop and transmit to Congress a plan for ensuring such coordination within one year of enactment. This NSC report will also serve as the basis of this required report to Congress.
The draft document proposes four broad objectives for the government’s pursuit of international standards in cyberspace:
- Improve national and economic security;
- Ensure standards are technically sound;
- Support standards that promote international trade; and
- Develop standards in tandem with industry to boost innovation.
The public comment period is August 10 – September 24.
Proposed Guidance for Strengthening Cybersecurity in Federal Acquisitions
The threats facing Federal information systems have dramatically increased as agencies provide more services online, digitally store data, and rely on contractors for a variety of these information technology services. The Federal Information Security Modernization Act of 2014 (FISMA), Office of Management and Budget (OMB) guidance, and National Institute of Standards and Technology (NIST) standards provide agencies with a framework for securing their information and information systems regardless of where this information is stored. This information can be on government information systems, contractor information systems, and contractor information systems that are part of an Information Technology (IT) service operated on behalf of the government. The increase in threats facing Federal information systems demand that certain issues regarding security of information on these systems is clearly, effectively, and consistently addressed in Federal contracts.
The Federal Chief Information Officers Council, the Chief Acquisition Officers Council, and Office of Management and Budget released draft guidance this week on how agencies should write acquisition policies and contracts to strengthen cybersecurity in Federal acquisitions. The guidance also defines who is responsible in the event of a breach, how incidents should be reported, and how systems operated by companies on behalf of the government should be assessed and monitored. The General Services Administration has 90 days to review the guidance and make recommendations on a baseline for better business due diligence to support risk management throughout the entire lifespan of an outsourced capability. The public has less than 30 days to provide their comments and recommendations for making the guidance more meaningful and effective. The draft guidance is posted on the open source platform GitHub and comments are due by September 10. Comments will be reviewed using an iterative approach.
Once the guidance is finalized, the Federal Acquisition Regulation will be amended for inclusion of contract clauses that address, as appropriate, the guidance covered in key sections of the new rules. After publication, federal agencies’ chief information officers, chief acquisition officers, chief information security officers, senior privacy officers, and other relevant officials shall immediately begin working together to apply the guidance.
GSA Cybersecurity Special Item Number
The General Services Administration (GSA) issued a request for information (RFI) this week in which they said that they are considering adding a special item number (SIN) for cybersecurity and information assurance (CyberIA) to IT Schedule 70. The goal is to make it faster and easier for agencies to buy security tools and services. GSA is looking for feedback on the CyberIA SIN from companies whose products and services would be listed there.
The proposed SIN would include hardware, software and services in eight categories:
- Information Assurance
- Virus Detection
- Intrusion Detection and Prevention
- Network Management
- Situational Awareness and Incident Response
- Secure Web Hosting
- Backup and Security Services
- Communications Security
The RFI is looking for industry feedback on how companies sell cybersecurity products and services, general opinions on creating a cybersecurity SIN, and thoughts on the eight proposed categories. Responses are due by 4 PM on September 11.
Stanley Lowe, Deputy Assistant Secretary for Information Security at the Veterans Affairs Department announced last week that he is retiring effective August 22 after 25 years in federal service.
Former Rep. Carol Shea-Porter (D-NH) announced this week that she will run for her old congressional seat challenging Rep. Frank Guinta (R-NH). This will be Shea-Porter’s sixth campaign for the seat, which she won in 2006, 2008, and 2012. Guinta is currently facing a campaign finance scandal after signing a conciliation agreement with the Federal Election Commission, which found that in 2010 Guinta loaned his campaign $355,000 in contributions that came from his parents. While Guinta agreed to pay a $15,000 fine and return the money, several Republicans in New Hampshire have called for his resignation including Sen. Kelly Ayotte (R-NH). Guinta has refused to resign and has said he may seek re-election in 2016.
“Little House on the Prairie” actress Melissa Gilbert announced this week that she’ll run for Congress against freshman Rep. Mike Bishop (R-MI) who succeeded Mike Rogers when he retired in 2014. The congressional district is considered a competitive district with Obama winning it in 2008 and Romney carrying it in 2012.
The House and Senate are in recess until September 8.