Ron Johnson: White House not complying with security laws

The Hill
July 1, 2015
By Cory Bennett

Two Senate committee chairmen are concerned the White House is not complying with basic cybersecurity reporting laws.

“Recently, we learned that the [Executive Office of the President] has not submitted an annual information security review of its own systems to the Office of Management and Budget (OMB) or to the appropriate congressional committees for at least the last three years,” said Sens. Ron Johnson (R-Wis.) and John Thune (R-S.D.), in a letter to the White House.

OMB, they added, has not received such a review since fiscal year 2008.

Johnson heads the Senate Homeland Security and Governmental Affairs Committee, while Thune oversees the Senate Commerce Committee.  Both panels play a key role in ensuring compliance with the Financial Information Security Modernization Act (FISMA), originally passed in 2002, and then updated last year.

The senators wrote in a letter, dated June 22 but never publicly released, that FISMA requires “all agencies, even agencies with sensitive information operating national security systems, must comply with the requirement to report on information security performance.”

Johnson has become more vocal about the Obama administration’s lack of security reporting in the wake of a massive data breach at the Office of Personnel Management (OPM), which has likely laid bare over 18 million people’s data.

“What is happening within the federal government IT systems is serious and I’m highly concerned this administration isn’t really complying with things like the FISMA law, is not seriously taking a look at their security measures,” Johnson told The Hill in mid-June, roughly a week after the OPM first revealed the breach.

White House network security has also come under intense scrutiny after it was revealed that suspected Russian hackers infiltrated unclassified systems last fall, gaining access to information such as President Obama’s private schedule.

In their letter, Johnson and Thune asked the White House to submit a security report by July 13.

“As cybersecurity risks and threats to agencies grow and evolve,” they said, “Congress and OMB must be able to assess the effectiveness of agencies’ security efforts through required compliance reviews and reports.”