With the reintroduction and unanimous passage of the Federal CIO Authorization Act of 2019 in the U.S. House of Representatives, empowering our government’s highest IT and security leaders is quickly evolving from a vision to a reality. Recognizing the government’s reliance on technology, the Federal CIO Authorization Act aims to elevate the role of the federal chief information officer, in addition to defining the chief information security officer position.
As we look to make these roles more defined and ultimately impactful, it’s important to explore the specific responsibilities that differentiate the federal CIO from the newly established federal CISO, a position that was created in 2016.
The federal CISO is a position of IT authority and, as a result, it should have oversight responsibilities for the cybersecurity budget, government-wide cybersecurity policy development, compliance and most importantly, development of cohesive cybersecurity architectures and plans. The federal CISO should also be a peer of the federal CIO, reporting directly to the Office of Management and Budget director. As it stands, the Federal CIO Authorization Act currently calls for the federal CISO to report to the CIO, while the CIO reports to the OMB director.
Cybersecurity is a critical component to protecting our nation from adversarial threats, which is why it is becoming more and more eminent that the federal CISO is regarded as an equal to the CIO. This will empower the CISO to make decisions surrounding our nation’s cybersecurity directives. The federal CISO should serve as an adviser directly to the president, as well as have oversight responsibility for agency CISOs — but agency CISOs should report directly to their respective agency heads.
The federal CISO should own organic budget and personnel for policy development and oversight, but the ownership and execution of cyber funding and personnel should remain with the agencies. Budgeting requirements for policy development should be exclusive of the development government-wide policies, corresponding reporting and oversight mechanisms to ensure compliance. By allowing the federal CISO to hire full-time staff, as well as senior cybersecurity personnel detailed on a limited basis from the agency CISO staffs, the leader can create a dynamic team that addresses any cybersecurity issues facing the U.S. now or in the future.
With a more empowered role at the agency level, security measures should also bubble up to the larger federal CISO role. This should include anything relevant to the protection of government information and IT systems. Allowing the federal CISO to oversee security will make them responsible for the largest, most complex and most mission critical IT systems in the world, making the role one of the strongest representations of our nation’s IT capabilities.
As we await the Senate’s review of the Federal CIO Authorization Act, it’s important that the federal government remember that CIOs and CISOs need to be peers and partners to ensure and provide effective and secure information technology. Additional legislation to establish the CISO as a peer to the federal CIO would ensure adequate authorities are provided and that our nation’s IT needs are properly controlled, moderated and executed.
Bob Dunn is the vice president, U.S. federal markets, for Juniper Networks.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.