Federal agency CIOs ought to have the authority to stop major IT procurements if they have concerns about cybersecurity, lawmakers were told by agency executives Wednesday.
Currently, federal CIOs have to sign-off on an Authority to Operate for every major IT system in their department. But CIOs, including NASA’s Renee Wynn, told subcommittee chairman Rep. Will Hurd, R-Texas, that it wasn’t clear what happens to a procurement contract if the ATO for the system wasn’t signed.
“I would like to have that authority,” Wynn said during a hearing of the House Oversight and Government Reform Subcommittee on IT.
“If a system doesn’t get the ATO … does that void the contract?” asked Hurd.
“I believe that procurement clauses would need to be added [to contracts] … across the federal government,” for that to happen, she replied, explaining that at present, it it is up to the CIO, in consultation with agency leaders, to negotiate whether or not to shut down a system that does not get an ATO.
“Having that contract language would be very good, I think,” agreed U.S. Department of Agriculture CIO Jonathan Alboum.
“There needs to be accountability,” added Rep. Rod Blum, R-Iowa. “Either the contractor made a mistake and we don’t pay them — that’s what would happen in the private sector — or federal employees made a mistake and they should be terminated,” he said, discussing the Social Security Administration’s failed $340 million modernization program, which the agency terminated in 2015.
Alboum, Wynn and Social Security Administration CIO Robert Klopp testified on progress their departments had made in meeting new government-wide cybersecurity mandates imposed last year after the massive OPM hack.
Combined with legislative changes — the Federal IT Acquisition Reform Act, or FITARA — the new mandates have had the effect of empowering CIOs, Hurd said.
Cybersecurity “is a conversation that starts with the agency CIO,” he said. “CIOs are the focal point for all things information technology at every federal agency, department, office and bureau.”
“Congress can’t hold agency CIO’s accountable … if they don’t have the necessary authorities to get the job done,” said Hurd, adding that new authorities might also persuade CIOs to stay at their posts longer than the current two-year average. “If we are going to move the ball forward, we need federal CIOs not only with the necessary authorities to make their vision a reality, but who are sticking around long enough to see it happen,” he said.
At NASA, Wynn caused waves over the summer when she took the unprecedented step of refusing to sign off on an ATO for a major agency IT system — the Agency Consolidated End-user Services or ACES. The contract for that is one of five major NASA infrastructure procurements.
“It did turn some heads,” she said, adding, “I would do it again … We didn’t have enough data to make a risk-determination decision about whether to sign the ATO.”
She said within a week the ACES contractor, HP Enterprise, had “stepped up,” and resolved the discrepancies in reporting figures about endpoint device numbers and patching schedules that had given her pause.
“That was on a Monday [that I declined the sign the ATO] by that Friday I had signed the ATO because by that time we were able to see and understand the risks that I would be signing off on,” she said.
She added that the agency was working “diligently” with NASA centers around the country and with the Department of Homeland Security to deploy the government-wide malware detection and intrusion prevention system called Einstein 3A.
“While we have experienced some challenges around deploying this technology at some centers, we are working … to resolve technical issues and enable NASA to meet the December 18, 2016 deadline for full deployment,” she said.
Earlier this year, NASA got the federal government’s only “F” grade on its FITARA report card — produced by the oversight committee.
The overall grade on the report card was derived from scores for the four objectives set by FITARA:
- Data Center Consolidation
- IT Portfolio Review Savings
- Incremental Development
- Risk Assessment Transparency
But Wynn — who called the agency’s FITARA score “unacceptable” back in May when it was published — referred to another measure to benchmark her progress since then.
“NASA has significantly reduced its cybersecurity risk measured by the DHS Cyber Hygiene report,” she said. “We have looked at the aggregate risk, as measured by DHS, and have reduced our vulnerabilities by 25 percent in the last eight months.”