The House recently passed a bill introduced by Rep. Langevin to amend the Homeland Security Act of 2002 to grant the DHS Chief Information Officer (CIO) authority for the development, approval, implementation, integration, and oversight of certain DHS cyber security initiatives (e.g “information management and information infrastructure”). The Homeland Security Network Defense and Accountability Act of 2008 authorizes the CIO to manage the policies, procedures, activities, funding, and systems relating to DHS networked information and infrastructure, and this surely bears on the Department’s role in the National Cyber Security Initiative.
Why the CIO? The GAO issued a report in June questioning DHS’s organization for addressing its cyber missions. There is CERT. There is an Assistant Secretary for Cyber Security and Communications and the director of the National Cyber Security Center at DHS. Of course, most of the component agencies of DHS also have their own CIOs.
The new bill directs the DHS CIO to establish and manage security control testing protocols to protect DHS’s and contractors’ information infrastructure against cyber-based attacks. It also tasks the DHS Inspector General with determining the effectiveness of the Department’s cyber security policies and controls. Moreover, the Secretary – through the CIO – has to determine that any contractors have their own cyber security policies and protections in place before entering into or renewing a covered contract.
That’s a lot on the CIO. The bill therefore sets forth a list of qualifications for the CIO. These quals include at least five years of executive leadership and management experience in IT and information security.