Whoever is appointed as federal CISO will have a bully pulpit to highlight cybersecurity issues in the federal government, but without legal authority from an act of Congress or elsewhere, the position is unlikely to fulfill its potential, a senior Department of Homeland Security cyber official said Thursday.
‘As the federal CISO does come into play, a key element to that person is to work at developing legal authorities, be it through Congress or otherwise, that’s going to give [the CISO]… the same seat at the table as the CIO at the agency level,’ Mark Kneidinger, director of the Federal Network Resilience Division in DHS’ Office of Cybersecurity and Communications, said during a panel discussion hosted by the Independent Telecommunications Pioneer Association.
Members of the panel compared the federal CISO’s situation to the relatively weak authorities of agency CIOs prior to the passage of the Clinger-Cohen Act in 1996.
Kneidinger said the federal CISO position and the Cybersecurity National Action Plan that calls for its creation are positives for the federal government because of the way they unify federal agencies to focus on governmentwide cybersecurity issues.
‘There’s a correlation here of agencies realizing they need to take a look at this with a governmentwide perspective and not just as an individual agency,” he said.
After the federal cybersecurity sprint last summer, ordered in the wake of the massive breaches at the Office of Personnel Management, he said, ‘what we saw was 62 folks getting together, representing from across multiple agencies, and working together with the consolidated brain power of how to address those critical issues. That led to the [Cybersecurity Strategy and Implementation Plan], which is now rolling into the CNAP and additional activities.”
The new federal CISO, who will report to federal CIO Tony Scott, will be responsible for overseeing cybersecurity policies within all federal civilian agencies, while working in collaboration with top-level Defense Department and intelligence agency counterparts.
“In reality, the CISO role is a policy coordinating role across the federal government,” Scott said in February. “One of the things that’s unique about OMB, given the name, is that it has management and budget responsibilities. Those are two powerful things that can shape and influence practice in each agency.”
With the advent of the CNAP, CIOs and CISOs, in theory, will be working more closely on the same set of issues, Kneidinger said.
‘Providing the federal CISO, that’s going to be that voice that going to give the opportunity for CISOs to provide their recommendations so that the appropriate authority level can be taken to be able to serve that population,” he said.
Still, there’s got to be some power behind that position if agency CISOs are to be elevated in influence as intended by the CNAP, Kneidinger said.
‘If you were to look at the purpose behind the federal CISO … that authority level, I think, is going to be key for that person to be as successful in regard to the intent,” he said.