A bipartisan group of senators introduced a bill Wednesday that would give the Department of Homeland Security broader authority to protect civilian agency computer systems from attacks.
The Federal Information Security Management Reform Act of 2015 would give DHS the ability to detect and prevent intrusions without waiting for a request from an agency, conduct risk assessments and deploy countermeasures on any network on the .gov domain, and strengthen the department’s ability to issue cybersecurity directives across federal agencies.
The bill comes after Washington has been rocked by the two hacks at the Office of Personnel Management, which saw information on more than 22 million current, former and retired government employees exposed.
“In the wake of the OPM breach, I think we can all agree that more needs to be done to strengthen cybersecurity and coordinate our effort,” Sen. Mark Warner, D-Va., said at a press conference announcing the bill. “There is no ability for DHS to come in and detect and improve quality, this is all done on a voluntary basis.”
Along with Warner, Democratic Sens. Claire McCaskill of Missouri and Barbara Mikulski of Maryland, and Republican Sens. Kelly Ayotte of New Hampshire, Dan Coats of Indiana and Susan Collins of Maine co-sponsored the bill.
On top of the powers given to DHS, the bill also calls for the White House’s Office of Management and Budget to report yearly to Congress on the extent it exercises its authority to enforce governmentwide cybersecurity standards.
OMB granted DHS the ability to regularly and proactively scan agency networks last year, but in light of recent hacks, lawmakers wanted to codify DHS’ ability beyond what has been already established.
The agency has been an integral part of OMB’s 30-day cybersecurity sprint, scanning more than 40,000 systems for critical vulnerabilities and patching flaws as they have been found.
Since the launch of the sprint, DHS also has accelerated adoption of Einstein 3A, the intrusion-prevention system used to guard civilian agencies. Einstein 3A now covers 15 federal civilian executive branch departments and agencies, a 20 percent increase over the past nine months. DHS expects to award a contract to provide Einstein 3A for all federal civilian agencies by the end of 2015.
Collins said the bill would only further DHS’ ability to be vigilant in the face of growing attacks. She mentioned that incidents have grown twelvefold since 2006, from 5,500 reported attacks in 2006 to more than 67,000 in fiscal year 2014.
“The alternative to giving these authorities to DHS is essentially to continue the completely unacceptable status quo in which each agency, whether competently or incompetently, monitors its own networks and only requests assistance if it sees fit to do so,” Collins said Wednesday.
Senators expect to introduce the bill alongside the Cyber Information Sharing Act, with a vote coming either before the August recess or soon after lawmakers return to Capitol Hill in September.
Read the full bill below.