U.S. lawmakers introduced a bill Wednesday tightening cybersecurity rules for federal civilian agencies.
It is proposed to amend a 2015 law that already provides cybersecurity measures for government agencies, such as data encryption and two-factor authentication of information system users, and call the new document the “Cybersecurity Oversight Act of 2020.”
The bill moves from indefinite agency waivers (“deferrals”) from implementing certain cybersecurity measures to waivers effective for one year only, and simplifies congressional oversight of information security rules to protect federal websites, sensitive data and other critical systems from attack. The current law, on the other hand, allows agencies to postpone cybersecurity technology implementation indefinitely, according to the authors of the new bill.
Now, to get a deferral, an agency head must certify that the requirement is “unduly burdensome” to comply with, or that there is no need to secure the agency’s system and data, and that the agency has “taken all necessary steps” to ensure its security.
The document also requires annual reports from state agencies to Congress, including a list of specific cybersecurity technology waivers, along with an estimate of when the agency will be able to meet cybersecurity requirements.