The House Oversight and Government Reform Committee (OGR) on Tuesday approved by voice vote a bill which would allow Federal agency heads to limit access to certain websites or deploy cybersecurity measures if they feel that it is necessary to secure their IT systems, but not before strong vocal dissent about the scope of the legislation.
HR 5300, the Federal Information Systems Safeguard Act of 2018, would permit agency heads “to take any action to limit, restrict, or prohibit access to a website or to test, deploy, or update a cybersecurity measure if the head of the agency determines such action is necessary to carry out the responsibilities of the head of the agency.”
But the crux of the bill actually centers on Facebook and personal email.
HR 5300 essentially restricts Federal union collective bargaining from preempting an agency head to take an action to restrict certain website use on agency computers.
Rep. Gary Palmer, R-Ala., the sponsor of the bill, on Tuesday spoke of the events that prompted the legislation. In 2011, Immigrations and Customs Enforcement (ICE) restricted employee access to Facebook and personal email after it was determined that an ICE data breach was traced to those sources.
Palmer also referenced the aftermath of the 2015 Office of Personnel Management data breach that exposed millions of government employee records. As a response, OPM prevented employee Facebook and web-based email access.
However, Palmer said that in 2014, the Federal Labor Relations Authority, in a 2-1 ruling, found that “imprecise wording” in the Federal Information Security Management Act (FISMA) meant agencies did not have authorities to impose the site or email bans without first bargaining with Federal labor unions. With the Now, Palmer is looking to eliminate the ambiguity.
“The Federal Information Systems Safeguard act amends FISMA to make clear to the head of a Federal agency that they have the authority to take appropriate and timely action to secure their IT networks,” Palmer said. “The bill will enhance the agency’s ability to deploy timely cybersecurity measures, defend against cyberattacks, and protect critical information databases and federal employees personally identifiable information.”
He provided an example, citing an OGR majority staff report on the OPM data breach, which found that OPM’s deployment of a network access control tool was delayed in part due to a requirement to notify unions.
The bill was first introduced in 2016 and was favorably reported by OGR in the past. The bill passed the House last Congress but did not make it through the Senate. Tuesday’s approval of HR 5300 came after strong debate over whether the bill actually accomplishes what Palmer suggested.
Palmer argued that the bill would allow IT leaders to make swift decisions to protect Federal networks, saying “cybersecurity response time is critical.” But opponents argued the measure was just another assault on the Federal workforce.
Rep. Elijah Cummings, D-Md., a vocal opponent of recent Federal workforce actions, argued the language in the legislation is far too broad.
“As I understand it, this legislation is intended to clarify that agency heads can block web-based email on agency computers without following requirements to bargain with the local union,” Cummings said. “There’s no question that we need to protect our federal IT and information systems from cyber threats. I strongly support that goal. But no matter what you believe about blocking employee access to email, this bill will go well beyond that.”
Cummings also espoused concern over how the repercussions of the bill could impact an employee’s ability to be contacted by family in the event of an emergency.
“We can protect Federal computer systems without the unnecessarily broad language included in this bill and we can protect Federal computer systems without eroding employee rights,” he said. Similar concerns were voiced by Rep. Gerry Connolly, D-Va.
“I have not sat through a single hearing where a single shred of evidence was presented to us by anybody the collective bargaining was a threat to the compliance with FISMA,” he said. “I have not heard a single shred of evidence that collective bargaining frankly in any way impedes our ability to try to do what we need to do by way of modernization and upgrading IT management within the Federal family. I think we’re fixing a problem that isn’t broken and it is unfortunately another part of this longer narrative aimed at the Federal worker.”
Palmer argued in response that the bill was “narrowly tailored” and only clarifies already existing authority. Following the vote, the bill will be reported to the full House.