The chair of the Senate Homeland Security and Governmental Affairs Committee, Joseph Lieberman, I-Conn., and ranking member Susan Collins, R-Maine, have sent DHS secretary Michael Chertoff a letter seeking detail on a new initiative to secure federal IT systems.
The "Comprehensive National Cyber-Security Initiative" was established in January with a presidential directive and is a multi-agency, multi-year 12-step plan to for securing the federal government’s cyber networks.
The letter asks for specific information on CNCI ranging from the secrecy of the project to its heavy reliance on contractors to the lack of involvement by the private sector, which controls the vast majority of the nation’s cyber infrastructure.
The letter notes that DHS has requested an additional $83 million dollars for the National Cyber Security Division for fiscal 2009 and including the $115 million awarded for the initiative in fiscal 2008, triples the funds spend on cyber security in DHS since 2007.
The Sens. said a DHS request for proposal for NCSD mission support did not appear to incorporate recent GAO recommendations to DHS to "clearly describe roles, responsibilities, and limitations of selected contractor services as part of the acquisition planning process."
They also expressed concerns regarding how information has been shared with Congress and other stakeholders concerning the initiative and the potential impact that lack of collaboration may have on the success of the initiative.
A lack of information could deter agencies from planning for future IT needs and deter companies from doing business with the government given uncertainties about future technical requirements, as well as stoke anxiety that security requirements may not be tempered with respect for privacy and civil liberties, they wrote.
The letter cites apparent confusion over what information about the CNCI is classified or not. For example, it noted that on March 20th, DHS announced that Rod Beckstrom would be the director of the NCSC within DHS, but prior to that announcement, committee staff had been instructed that the existence of the NCSC itself was classified.
Further, it questions a lack of private industry involvement in the initiative to date, noting that the private sector controls most of the nation’s cyber infrastructure.
