Is the White House Skirting Government-wide Cybersecurity Rules?

The White House’s Executive Office of the President hasn’t submitted reports detailing compliance with federal cybersecurity rules for the past three years, according to a letter to President Barack Obama written by Senate Commerce Committee Chairman John Thune (R-SD) and Senate Homeland Security and Government Affairs Committee Chairman Ron Johnson (R-WI). The apparent lack of annual reporting is even more striking considering the White House’s unclassified computer networks were breached by hackers in Fall 2014, purportedly from Russia, leading to temporary outages as officials worked to suppress malicious activity.

The letter says EOP hasn’t submitted annual cybersecurity reviews of its systems to either the Office of Management and Budget or congressional committees for at least the past three years. The last time White House results showed up in OMB’s annual compilation of agency reports was in fiscal 2008, according to the letter. Annual reviews of agencies' IT security posture are mandated by the 2002 Federal Information Security Management Act, which Congress last updated in December. Independent inspectors general are also required to review agencies’ FISMA compliance. The Chairmen want to know if EOP complies with mandated security requirements under FISMA and why the office has failed to comply with reporting requirements in recent years. The letter seeks a response by July 13.