Sen. Ron Wyden, D-Ore., and Rep. Lauren Underwood, D-Ill., have proposed a bill to improve oversight of federal agencies’ cybersecurity posture.
Congress authorized agencies in 2015 to self-issue indefinite waivers for cybersecurity practices such as two-factor authentication and data encryption and Wyden’s office said Wednesday the Federal Cybersecurity Oversight Act of 2020 would limit those waivers to one year and direct the director of the Office of Management and Budget (OMB) to manage the issuance of those waivers.
“Lax cybersecurity at federal agencies needlessly exposes Americans to privacy and security threats, while putting our national security at risk,” Wyden said. “The Federal Cybersecurity Oversight Act would prevent civilian agencies from punting cybersecurity down the road indefinitely, leaving Americans’ data open for attack from hackers and foreign spies.”
Agency heads seeking waivers should certify to OMB that implementing a specific cybersecurity requirement would be excessively burdensome and that the agency has taken all the necessary measures to ensure the security of data and information systems.
“This bill also requires that existing annual cybersecurity reports to Congress include a list of the specific cybersecurity waivers that the agency has received, along with an estimate for when the agency expects to be able to meet the cybersecurity requirements,” the bill's summary reads.