Federal agencies must submit a collection of cybersecurity information to Congress. The regulations are buried in the omnibus bill and may come as a surprise to some.
The Cybersecurity Act of 2015 requires additional reporting from the Inspector Generals by August 2016.
We discovered the onerous and vague regulations in our intensive review of the Omnibus Appropriation Act, passed in December 2015. Within the act is another act: the Cybersecurity Act of 2015. Section 406 requires each Inspector General to submit a collection of security information to Congress no later than 240 days from the December enactment date, which lands on August 14, 2016.
Specifically addressed is each “covered agency” under the respective Inspector General’s aegis. A covered agency is any that operates a federal computer system with access to classified information or personally identifiable information (PII). If that’s you, then you are beholden to the requirements and the August deadline.
Federal computer security reporting requirements
As a covered agency, you must supply Congress with documents and information about how you address the following areas of cybersecurity (verbatim from section 406):
- Logical access control policies and practices
- Logical access controls and multi-factor authentication of privileged users or the reasons for not using such logical access controls or multi-factor authentication
- Information security management practices for conducting inventories of the software and software licenses for the covered agencies and their contractors
- Capabilities and practices to monitor and detect exfiltration and other threats, including:
- data loss prevention capabilities;
- forensics and visibility capabilities;
- digital rights management capabilities;
- or reasons for not utilizing the capabilities
At the moment, there’s no guidance or specificity as to how the Inspector Generals must supply this information to Congress. CLA’s federal government practitioners will pursue more details about the reporting requirements and engage in conversations with regulators to determine how you should best comply.
How we can help
The reporting requirements may be burdensome for your agency, depending on the number of covered systems under your or your contractor’s control — and it may be difficult to meet the August deadline. Our federal government team has extensive experience with security and privacy reporting and can help you with the likely procedures and steps you’ll be expected to comply with. We can help you manage the process and prepare for the upcoming new requirements.