The chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee on the evening of July 27 introduced legislation aimed a bolstering the cyber defenses of federal civilian agencies by accelerating the deployment of an intrusion and detection system and mandating stronger authentication practices.
The Federal Cybersecurity Enhancement Act of 2015 (FCEA, S. 1869) would speed up deployment by federal civilian agencies of the EINSTEIN intrusion detection and prevention by clarifying legal authorities for the program and mandating agency adoption. EINSTEIN, which is managed by the Department of Homeland Security (DHS), is currently deployed across about 45 percent of federal agencies.
The new legislation appears to overlap somewhat a cyber bill introduced by another group of senators the week of July 20. The Federal Information Security Management Reform Act of 2015 (FISMA Reform) would authorize DHS to conduct risk assessments and operate intrusion detection and prevention tools on all federal civilian networks without an agency’s permission. DHS currently needs permission from civilian agencies to monitor their networks and deploy cyber protection tools due to uncertainty about DHS’ authorities to deploy EINSTEIN and agencies’ authorities to participate.
Within one year of enactment, the FCEA legislation would require DHS to “deploy, operate, and maintain, to make available for use by any agency, with or without reimbursement,” capabilities to detect cyber risks in networks and prevent network traffic associated with these risks.
The FCEA bill was introduced by Sens. Ron Johnson (R-Wisc.), the chairman of the committee, and Tom Carper (D-Del.), the ranking member. The FCEA and FISMA Reform bills were introduced in the wake of the theft of personal data stored by the Office of Personnel Management (OPM) on current and former federal employees and contractors.
Johnson said in a statement that the FCEA bill would protect the privacy of millions of Americans’ personal data stored on federal networks, adding that “had the powers of this bill been implemented already, it likely would have stopped the hack of the Office of Personnel Management.”
The FCEA bill also seeks to bolster best practices in protecting government information networks. It directs the use of multifactor authentication for remote access to agency information systems and each user account with elevated privileges on these systems, and the use of encryption for sensitive systems.
The legislation also calls for regular improvements to the EINSTEIN system including assessments of “commercial and non-commercial technologies and detection technologies beyond signature-based detection.” This, and the cyber hygiene provisions of the FCEA bill, set it apart from the FISMA Reform Act.
Other provisions of the bill call for the Government Accountability Office (GAO) to assess federal efforts to secure agency information systems, for DHS to report on the status of implementing intrusion detection and prevention capabilities and for the Office of Management and Budget (OMB) to analyze agencies’ application of these capabilities.
The FCEA bill would also mandate privacy protections with the EINSTEIN program and data.
The OPM breach was disclosed in June. The Obama Administration hasn’t officially named a culprit for the theft of millions of personnel records but officials have pointed to China as a likely source of the hack.
In response to the attack, OMB launched a 30-day cyber sprint for federal agencies to shore up protection of their networks and DHS is working to make sure that aspects of the latest iteration of EINSTEIN be available to all federal civilian agencies by the end of 2015. DHS also directed that the another program it oversees, Continuous Diagnostics and Mitigation (CDM), and that agencies are deploying to monitor their networks for vulnerabilities, be made available to nearly all of the federal civilian agencies this year.
The FCEA bill would also authorize EINSTEIN, something that Homeland Security Secretary Jeh Johnson asked Congress to do in the wake of the OPM breach.
Earlier this year the House passed legislation two pieces of cyber legislation designed to promote information sharing between the private and public sectors on cyber threat indicators by providing liability protections to companies that voluntarily share these indicators with DHS and other private entities and removing legal barriers to such voluntary sharing.