Cybersecurity protections for government computer systems will be subject to increased oversight and accountability thanks to a provision passed as part of the Cybersecurity Information Sharing Act (CISA) on Tuesday in the Senate.
The provision, written by Senator Orrin Hatch, R-Utah, the longest-serving Republican in the history of the Senate Intelligence Committee, comes in the wake of an increase in instances of major cyberattacks on government systems. The provision shines light on whether the federal government is using the most up-to-date cybersecurity practices and software to protect federal computer systems and databases from both external cyber-attackers and insider threats.
“The Cybersecurity Information Sharing Act (CISA) is critical for protecting our nation’s cyber-defenses,” said Sen. Hatch. “The bill includes my provision, which requires a report on the federal government’s use of cybersecurity practices and software. This report will show what’s working and where improvements need to be made to protect federal computer systems and databases from hackers. The future of our nation’s cybersecurity starts with the federal government practicing good cyber-hygiene.”
The full text of the provision can be found here, and a section-by-section can be found here.
The measure, called the Federal Computer Security Act, requires federal agency Inspectors General to report to Congress on the security practices and software used to safeguard classified and personally identifiable information on federal computer systems.
Not later than 240 days after enactment, the Inspector General for each covered agency shall submit a report to Congress that includes:
- A description of the logical access standards used by the agency to access federal computer systems, including whether the agency uses multi-factor logical access controls.
- A description of the policies and procedures the agency uses to conduct inventories of security software on its computers and the licenses associated with such security software.
- A description of the data security management software used by the agency, including whether the agency has entered into licensing agreements for software security controls such as data loss prevention software or digital rights management software.
- A description of the policies used by the agency to ensure that entities, including contractors, that provide services to the agency are implementing data management practices.