A bill introduced in the House this week by Rep. Ralph Abraham, R-La., proposes that agency heads be demoted, fired or subjected to disciplinary action if a data breach occurs under their watch.
Titled, the Cybersecurity Responsibility and Accountability Act of 2016, the bill is the outcome of several data breaches, including those at the Office of Personnel Management, the Federal Deposit Insurance Corporation, and the Internal Revenue Service.
The bill would make it necessary for agency heads to undertake “mandatory annual information security training and certification designed specifically for the agency head, developed and updated as necessary by the National Institute of Standards and Technology,” to ensure that the agency head has an understanding of Federal cybersecurity policy.
It also tasks the Director of the National Institute of Standards and Technology with the responsibility of developing and updating as necessary the standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) to fulfill the additional objectives and requirements of the Cybersecurity Responsibility and Accountability Act of 2016.
Each agency head would also be required to develop a plan, not later than 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016, in consultation with the Comptroller General, to implement all of the Comptroller General’s recommendations regarding information security controls relevant to that agency.