In an effort to address concerns about cybersecurity at U.S. Department of Health & Human Services (HHS), the agency’s chief information security officer (CISO) would be elevated to a separate office rather than remaining underneath the agency's CIO as presently structured. The bill was introduced by Reps. Doris Matsui, D-Calif., and Billy Long, R-Mo.

“As the network of cyber criminals becomes increasingly sophisticated, our operational structures and strategies must evolve accordingly,” Matsui said in a statement. "This common sense legislation incentivizes best security practices and encourages organizational efficiencies as our federal agencies continue to confront the modern threat environment.”

The change in the CIO-CISO reporting structure was the top recommendation of an August 2015 report by the House Energy and Commerce Committee, which counts Matsui and Long as members. The report cited a 2014 ThreatTrack Security survey that said “less than half of CISOs at surveyed organizations still report to their CIO.”

The report placed some of the blame on information security workers not having the proper authority for hackers gaining access to at least five divisions of HHS within the last three years.

“Information security officials are not always permitted full visibility into their own networks as a result of their relationship with agency contractors, who may own and operate portions of agency networks,” the report said.

If the bill is signed into law, the HHS Secretary would be required to report on overhauling the agency’s information security programs within one year of its adoption.