Cybersecurity: Federal Agency Roles

link to page 1


February 13, 2017
Cybersecurity: Federal Agency Roles
The federal role in cybersecurity involves both securing
Intelligence Community (IC) agencies that are designated
federal information systems and assisting in protecting
as crucial to their missions.
nonfederal systems. All federal agencies are responsible for
protecting their own systems, and many have sector-
NIST—National Institute of Standards and Technology.
specific responsibilities for critical infrastructure (CI). A
This bureau of the Department of Commerce develops
simplified overview of major roles is presented in Figure 1
standards and guidance for federal systems that become
and the text below. Because of factors such as the
mandatory under FISMA once approved by OMB (40
continuing evolution of both cyberspace and agency roles,
U.S.C. 11331). It also performs research relating to
the distribution of responsibilities is more complex and
cybersecurity, develops voluntary guidance, works with
ambiguous than what is presented here, with a number of
government and private-sector entities to develop
unresolved issues.
cybersecurity best practices, and coordinates interagency
efforts in cybersecurity education, training, and workforce
Figure 1. Federal Agency Roles in Cybersecurity
development through the National Initiative for
Cybersecurity Education (NICE). The agency also
coordinated the public/private development of a framework
for CI cybersecurity, released in 2014.
DHS—Department of Homeland Security. FISMA provides
DHS primary responsibility for coordinating the operational
security of nonexcepted federal systems, including the
issuing of binding operational directives for implementing
FISMA requirements and of emergency directives in
response to substantial threats. The Cybersecurity Act of
2015 (CSA, P.L. 114-113, div. N) also authorized and
requires agencies to utilize a DHS intrusion prevention and
detection program for federal civilian systems,
implemented as the National Cybersecurity Protection
System (NCPS) and its EINSTEIN component. The DHS
Continuous Diagnostics and Mitigation (CDM) program
provides tools and services to identify and mitigate
vulnerabilities on agency networks.
In addition, DHS oversees federal efforts to coordinate and
improve the protection of U.S. CI, most of which is

controlled by the private sector. The National Cybersecurity
Source: CRS.
Protection Act of 2014 (P.L. 113-282) authorized the
Note: See text for abbreviations.
National Cybersecurity and Communications Integration
Center (NCCIC), established administratively in 2009, to
All agencies. Under the Federal Information Security
provide and facilitate information sharing and incident
Modernization Act (FISMA, 44 U.S.C. 3551 ff), each
response among public and private-sector CI entities. The
agency head must provide through the agency Chief
CSA established a process to facilitate public- and private-
Information Officer (CIO) for the protection of agency
sector sharing of information on cyberthreats and defensive
information systems in accordance with federal
measures through the NCCIC and other means, and it
requirements, including establishment of an agency
permits private-sector entities to monitor and operate
information security program.
defenses on their information systems.
OMB—Office of Management and Budget. In addition to its
DOJ—Department of Justice. Much of the enforcement of
budgetary role, this White House office is responsible for
federal criminal laws relating to cybersecurity, including
approving and enforcing information security requirements
investigation and prosecution, is carried out by DOJ.
under FISMA for federal systems, with two exceptions.
However, some entities within other departments also have
National security systems (NSS) fall under the interagency
enforcement responsibilities, such as the U.S. Secret
Committee on National Security Systems. FISMA also
Service in DHS and the Defense Cyber Crime Center in
delegates to the Secretary of Defense and the Director of
DOD. The duties of law-enforcement agencies often
National Intelligence, respectively, responsibility for
involve digital forensics, electronic surveillance, and other
systems in the Department of Defense (DOD) and the
technological activities. The Federal Bureau of
https://crsreports.congress.gov

Cybersecurity: Federal Agency Roles
Investigation (FBI) leads the multiagency National Cyber
OSTP—Office of Science and Technology Policy. This
Investigative Joint Task Force (NCIJTF), which focuses on
White House office coordinates and facilitates interagency
information sharing and analysis for law enforcement
and multiagency cybersecurity activities, especially R&D.
relating to cyberthreats.
NSF—National Science Foundation. This independent
DOD—Department of Defense. DOD is responsible for
agency funds research and education in cybersecurity,
military operations in cyberspace. That includes both
largely through academic and nonprofit institutions. Its
defensive and offensive operations, with the U.S. Cyber
Scholarship-for-Service (CyberCorps) program also
Command serving as the main focus for coordinating and
provides scholarships to train cybersecurity professionals.
conducting such activities. DOD agencies such as the
Defense Advanced Research Projects Agency (DARPA)
SEC—Securities and Exchange Commission. Federal law
and the National Security Agency (NSA) also engage in
requires publicly traded companies and other entities
cybersecurity research and development (R&D). NSA and
registered with the SEC, with certain exceptions, to report
other DOD agencies also provide assistance upon request to
annually on the establishment and maintenance by
DHS, other civilian agencies, and private-sector entities
management and the effectiveness of “an adequate internal
under various agreements.
control structure and procedures for financial reporting” (15
U.S.C. 7262). To the extent that records are kept
IC—Intelligence Community. The IC consists of 17 federal
electronically, such a structure would include cybersecurity
agencies and other entities responsible for various forms of
provisions. In addition, SEC guidance states that such
intelligence collection, sharing, and operations, including
entities should disclose cybersecurity risks and incidents
those relating to cybersecurity. The Director of National
where they form significant risk factors for investment.
Intelligence sets standards for mission-crucial IC systems
other than NSS.
SSAs—Sector-Specific Agencies. SSAs are those federal
agencies responsible for leading public/private
NSA—National Security Agency. While NSA is a major
collaborative efforts to protect the 16 designated CI sectors.
component of the IC, it also has a significant cybersecurity
Plans developed for each sector include discussion of
mission, serving as the designated manager of national
cybersecurity concerns and activities.
security systems (NSS), which are information and
telecommunications systems that are used in military,
Regulatory Agencies. The regulatory environment for
intelligence, and other national security activities or that
cybersecurity is complex, involving both technical and
handle classified information. This includes the
nontechnical activities by various agencies. Cybersecurity
development of security standards. NSA, along with DHS,
in some CI sectors is subject to specific regulations, such as
is also involved in designation of academic centers of
the chemical (DHS), bulk electric power (Federal Energy
excellence in cybersecurity.
Regulatory Commission), financial services (Department of
the Treasury and other agencies), and healthcare
DOE—Department of Energy. DOE supports cybersecurity
(Department of Health and Human Services) sectors. Some
efforts in the energy sector, including electricity and
agencies with regulatory authority over certain sectors, such
nuclear, for example by assisting private-sector energy
as the Federal Communications Commission (FCC), have
companies in developing cybersecurity capabilities for
chosen to focus on voluntary compliance.
energy-delivery systems. It also provides some
cybersecurity services to other agencies and private-sector
Other Agencies. In addition to the work of NIST, the
entities through the DOE National Laboratories and other
Department of Commerce is involved in Internet policy
means. Several of DOE’s 17 national laboratories also
more broadly through the National Telecommunications
engage in cybersecurity R&D, education and training, and
and Information Administration (NTIA), and, along with
other activities. These include such things as modeling and
the Department of State, in international trade and
simulation of systems and networks, forensic analyses, and
diplomatic activities relating to cybersecurity. The General
providing test beds for investigating and improving the
Services Administration (GSA) is involved in aspects of
security of industrial control systems.
cybersecurity involving acquisition of goods and services,
including cloud computing, by federal agencies. The
FTC—Federal Trade Commission. Under the Federal Trade
Government Accountability Office (GAO) investigates
Commission Act, the FTC is required to prevent the use of
agency implementation of cybersecurity programs and
“unfair or deceptive acts or practices in or affecting
requirements, and agency Inspectors General (IGs) audit
commerce” by businesses (15 U.S.C. 45). Several other
agency conformance to FISMA and other requirements.
laws also provide the agency with related authorities. The
FTC has investigated many cases involving the
Issues. Among unresolved issues are the authority of CIOs,
cybersecurity practices of businesses, with settlements
the proper role of regulation in the cybersecurity of CI, the
typically requiring the implementation of comprehensive
use of OMB authority to enforce FISMA requirements, the
cybersecurity programs and other actions. Many of those
role of DHS in FISMA enforcement and CI cybersecurity,
actions involve consumer protection, but some have
and the role of NSA in protecting civilian systems.
involved the cybersecurity practices of companies such as
hotels, financial institutions, and information and
Eric A. Fischer, Senior Specialist in Science and
communications technology businesses.
Technology
https://crsreports.congress.gov

Cybersecurity: Federal Agency Roles

IF10602


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF10602 · VERSION 2 · NEW