U.S. Senator Ron Wyden, D-Ore., and U.S. Representative Lauren Underwood, D-Ill., introduced a bill to strengthen oversight of the cybersecurity of federal agencies.
In 2015, Congress required federal civilian agencies to implement cybersecurity best practices, like data encryption and two-factor authentication. The agencies, however, have the ability to issue themselves blanket, indefinite waivers for these cybersecurity measures.
“Lax cybersecurity at federal agencies needlessly exposes Americans to privacy and security threats, while putting our national security at risk. The Federal Cybersecurity Oversight Act would prevent civilian agencies from punting cybersecurity down the road indefinitely, leaving Americans’ data open for attack from hackers and foreign spies,” Wyden said.
“To secure our nation’s infrastructure, we must prioritize that federal agencies are adhering to the best cybersecurity practices. The Federal Cybersecurity Oversight Act will strengthen federal cybersecurity standards and facilitate congressional oversight to protect federal websites, confidential data, and other critical systems from attacks. I’m pleased to join Senator Wyden to introduce this timely legislation,” said Congresswoman Underwood, Chairwoman of the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
The Federal Cybersecurity Oversight Act would increase oversight of these waivers, limiting the waivers to one year at a time and placing the Director of the Office of Management and Budget (OMB) in charge of issuing all waivers.
In order to request a waiver, the agency head must certify to OMB that:
- It would be excessively burdensome to implement the particular requirement;
- The particular requirement is not necessary to secure the agency system and data; and
- The agency has taken all necessary steps to secure the agency system and data.
A copy of the bill text is available here.