Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

Bill Looks to Close Federal Cybersecurity Loopholes

Lawmakers Want to Restrict Agencies From Postponing Security Measures
Bill Looks to Close Federal Cybersecurity Loopholes
Rep. Lauren Underwood, D-Ill., and Sen. Ron Wyden, D-Ore., introduced the Federal Cybersecurity Oversight Act of 2020.

Sen. Ron Wyden, D-Ore., and Rep. Lauren Underwood, D-Ill., have introduced a bill designed to patch loopholes in the Federal Cybersecurity Enhancement Act of 2015 that they say allow federal agencies to easily avoid implementing required cybersecurity procedures.

See Also: Buyer's Guide Report: Choosing the Right Security Testing Solution

"In 2015, Congress required federal civilian agencies to implement cybersecurity best practices, like data encryption and two-factor authentication," Wyden says. "The agencies, however, have the ability to issue themselves blanket, indefinite waivers for these cybersecurity measures."

The Federal Cybersecurity Oversight Act of 2020 would update the "exemption from federal requirements" portion of the 2015 law by putting in place specific measures that Wyden and Underwood say would make it more difficult for agencies to avoid implementing required cybersecurity measures.

"To secure our nation's infrastructure, we must prioritize that federal agencies are adhering to the best cybersecurity practices," Underwood says. "The Federal Cybersecurity Oversight Act will strengthen federal cybersecurity standards and facilitate congressional oversight to protect federal websites, confidential data and other critical systems from attacks."

Implementing Change

Under the proposal, instead of allowing agency directors to self-issue a waiver to bypass a cybersecurity task, they would have to obtain such permission from the Office of Management and Budget.

"Lax cybersecurity at federal agencies needlessly exposes Americans to privacy and security threats, while putting our national security at risk," Wyden says. "The Federal Cybersecurity Oversight Act would prevent civilian agencies from punting cybersecurity down the road indefinitely, leaving Americans' data open for attack from hackers and foreign spies."

The new bill would place a one-year limit on any waiver issued, replacing the current open-ended moratorium. It would require agency directors to meet certain criteria to earn approval of a waiver, including:

  • Proving the requirement is excessively burdensome to implement;
  • Showing that the particular requirement is not necessary to secure the agency's system and data;
  • Proving that the agency has taken all necessary steps to secure the agency system and data.

The Original Measure

The Federal Cybersecurity Enhancement Act of 2015 was enacted in the wake of the Office of Personnel Management breach, which took place in June of that year. A federal government forensics investigative team concluded with "high confidence" that hackers stole the personally identifiable information of 21.5 million individuals (see: OPM's 2nd Breach: 21.5 Million Victims).

The 2015 bill required federal agencies to implement best cybersecurity practices to protect their computer networks. It required the Department of Homeland Security and the Office of Management and Budget to conduct comprehensive security assessments and hunt down and remove intruders in federal networks. And it authorized agencies to use the DHS intrusion detection and prevention system, Einstein.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.