With a new proposal that would require federal agencies to get permission from the Office of Management and Budget to opt-out of implementing specific cybersecurity practices— encryption of sensitive information and multifactor authentication—Sen. Ron Wyden, D-Ore., and Rep. Lauren Underwood, D-Ill., are challenging the status quo in cybersecurity policy.
“To secure our nation’s infrastructure, we must prioritize that federal agencies are adhering to the best cybersecurity practices,” Underwood, the new chair of the Committee on Homeland Security’s subcommittee on cybersecurity, infrastructure protection and innovation said in a press release of the bill’s introduction. “I’m pleased to join Senator Wyden to introduce this timely legislation.”
The generally accepted theory in U.S. cybersecurity policy centers on risk management and the idea that because there are limited resources and variations in system designs and functions, each entity must decide for itself where and how to focus its protection efforts.
The National Institute of Standards and Technology’s 2013 cybersecurity framework is at the heart of this. It references a host of security controls, but federal agencies, which are required to use the framework, are able to choose which of those controls they should implement according to the plans they design for themselves.
In the wake of the breach of the Office of Personnel Management—where the exposure of sensitive data of over 22 million people could have been avoided if the files were encrypted—lawmakers tried to take a more granular approach.
They passed the Federal Cybersecurity Enhancement Act of 2015, which mandated that agencies identify their sensitive data and implement agency cybersecurity waivers would limits oversight under
