Congress should pursue efforts to hold federal agencies accountable for their cybersecurity by considering changes to the Federal Information Security Modernization Act, according to President Joe Biden’s nominee to direct the Cybersecurity and Infrastructure Security Agency.  

“I know there was some discussion about [Federal Information Security Modernization Act] reform to ensure that accountability is rightly structured … I think things like that are very important discussions to have and if confirmed, I would look forward to working with this committee on it,” Jen Easterly said.

Easterly testified before the Senate Homeland Security and Governmental Affairs Committee Thursday along with Chris Inglis, the nominee for national cyber director and Robin Carnahan, the nominee to lead the General Services Administration.  

Lawmakers have expressed a need to clarify agencies’ incident reporting responsibilities, supply chain scrutiny and technology modernization efforts in the context of reshaping the foundational law in the wake of the pandemic and a string of breaches involving federal agencies. 

“I watched just, as all of us did, horrified that so much of the quick policy work and appropriation that was done by Congress wasn’t able to get to the people that needed it because of outdated or not working, technology systems and likewise that cyber criminals were gonna take advantage of that and steal money,” Carnahan said.

Carnahan also said GSA has work to do toward removing certain Chinese technology from federal government systems as required under Section 889 of the 2019 National Defense Authorization Act.

“I think it’s important that GSA get on with, as the chief buyer, strengthening the supply chain to ensure that it’s complying with Section 889,” she told Sen. Josh Hawley, R-Mo. “My understanding is that it has worked on that, but in the end, there’s no excuse for not just getting it done. I don’t know what the blockers are currently to having this fully implemented and enforcing these rules but if I’m confirmed I’m going to be interested in, as quickly as possible, getting to the bottom of that issue.”

Sen. James Lankford, R-Kan., noted that all three of the nominees would have a role in dealing with removal orders like those surrounding companies like China’s Huawei and Russia’s Kaspersky and asked what their approach would be going forward.   

Carnahan said she would look to automation as a way to better monitor the supply chain. Easterly referenced CISA’s place on the Federal Acquisition Security Council—an interagency group that has the authority to recommend such removal orders—and said she was looking forward to working with that body and a public-private Information and Communication Technology Supply Chain Risk Management task force within CISA. Inglis said the national cyber director’s access to the National Security Council from within the White House would make him well-positioned to advise on legal challenges that can result from such removal orders.

Multiple senators also asked the nominees to describe how they would go about putting a dent in the government’s cybersecurity workforce shortage.

Carnahan said the government could benefit from realizing the attractiveness of positions that allow remote work and is looking forward to hearing from a GSA task force on the future of work. 

Easterly stressed the importance of organizational culture. “You have to build a culture of excellence that prizes inclusion, innovation, collaboration, empowerment and ownership, so that people wake up in the morning and they love what they do and they enjoy their teammates, and they like who they work for,” she said. “That is how you attract the best talent and retain the best talent.” She also noted a need to tap diverse pipelines for talent. 

Inglis agreed with this. “I think we also need to revisit what the fundamental qualifications are to take one of these jobs, not all of them require a bachelor of science in computer science,” he said. “Many of them simply need good critical thinkers, people who’ve got a good work ethic and we need to open the doors for them to make their way into these jobs such that they can make an immediate and positive difference.”

Inglis is also a proponent of starting earlier and advocates planting the seed about viable cybersecurity jobs as part of the education system in kindergarten through 12th grade.    

“We have found that the pipelines aren’t generating enough, either in the diversity or in the literal numbers,” he said. “We need to actually work those pipelines.”