Congressman Ralph Abraham, M.D., R-Alto, introduced legislation on Monday, Sept. 19, to address the recent cybersecurity breaches of personal data of millions of Americans.
Dr. Abraham’s HR 6066, the “Cybersecurity Responsibility and Accountability Act,” sets a number of directives for federal agencies to strengthen their cybersecurity protocols, and the bill brings a new level of accountability for agency heads that fail to implement the security measures necessary to prevent against cyber attacks.
The bill comes after numerous Congressional hearings uncovered that breaches occurred after federal government agency heads at agencies such as the Office of Personnel Management (OPM), the Internal Revenue Service (IRS) and the Federal Deposit Insurance Corporation (FDIC) failed to implement adequate procedures to protect data.
Those three breaches alone resulted in compromised personal data of more than 22 million Americans.
“As a country, we must do a better job protecting Americans and their personal information from cyber attacks. This bill not only implements important reforms to strengthen our cybersecurity, but it also increases accountability so that we can hold agency heads responsible when they fail to correct security vulnerabilities identified by inspectors,” Dr. Abraham said.
The major provisions in the bill include:
• Specifies the role of the National Institutes of Standards and Technology (NIST) Director to develop and update cybersecurity standards and guidelines to fulfill the additional objectives and requirements of the Cybersecurity Responsibility and Accountability Act of 2016;
• Requires the NIST Director to conduct cybersecurity research to identify and address prevalent information security challenges, concerns, and knowledge gaps identified by agencies;
• Directs NIST, the Office of Management and Budget (OMB) and the Department of Homeland Security to develop the job description and responsibilities for an agency Chief Information Security Officer within 6 months of this Act’s enactment;
• Requires each agency to provide mandatory annual information security training and certification designed specifically for the agency head, which is to be developed and updated by NIST;
• Requires the annual agency report to OMB to include written certification by the agency head that NIST information security standards are being met by the agency;
• Requires each agency head to develop plans in consultation with GAO and separately with the agency IG to implement all of the GAO’s and respective agency IG’s recommendations regarding information security controls relevant to the agency;
• Requires an independent IG evaluation of each major cybersecurity incident experienced by the agency; and
If the IG’s evaluation of the major cybersecurity incident determines that the incident occurred because the agency head failed to comply sufficiently with the information security requirements, recommendations, or standards provided by NIST, the IG, or GAO, the OMB Director shall take enforcement action. The action that the OMB Director may take includes recommending to the President the removal or demotion of the agency head, or ensuring the agency head does not receive any cash or pay awards or bonuses for a period of 1 year.