House proposal would separate CISO, CIO roles within HHS
In an effort to address concerns about cybersecurity at U.S. Department of Health & Human Services (HHS), the agency’s chief information security officer (CISO) would be elevated to a separate office rather than remaining underneath the agency's CIO as presently structured. The bill was introduced by Reps. Doris Matsui, D-Calif., and Billy Long, R-Mo.
“As the network of cyber criminals becomes increasingly sophisticated, our operational structures and strategies must evolve accordingly,” Matsui said in a statement. "This common sense legislation incentivizes best security practices and encourages organizational efficiencies as our federal agencies continue to confront the modern threat environment.”
The change in the CIO-CISO reporting structure was the top recommendation of an August 2015 report by the House Energy and Commerce Committee, which counts Matsui and Long as members. The report cited a 2014 ThreatTrack Security survey that said “less than half of CISOs at surveyed organizations still report to their CIO.”
The report placed some of the blame on information security workers not having the proper authority for hackers gaining access to at least five divisions of HHS within the last three years.
“Information security officials are not always permitted full visibility into their own networks as a result of their relationship with agency contractors, who may own and operate portions of agency networks,” the report said.
If the bill is signed into law, the HHS Secretary would be required to report on overhauling the agency’s information security programs within one year of its adoption.
John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.