Wyden bill requires new cyber standards in federal tech procurement
The legislation comes in the wake of several cyber incidents targeting the federal government.
A new bill led by Sen.Ron Wyden, D-Ore., would require new interoperability and cybersecurity standards for online collaboration tools acquired by the federal government.
Wyden, who has a reputation as a privacy hawk, is sponsoring the Secure and Interoperable Government Collaboration Technology Act following what his office called “multiple disastrous hacks of U.S. government systems” that have occurred over the past year.
Top of mind is a high-profile Chinese state-backed cyberattack that allowed hackers to access the Microsoft email accounts of top government officials last year, which led to a scathing report from a DHS oversight board that faulted the company for an “inadequate” security culture.
The measure tasks the National Institute for Standards and Technology and the General Services Administration with establishing minimum standards for commonly used government-contracted workplace collaboration tools like Zoom or Slack so that they meet certain interoperability requirements and use end-to-end encryption or other techniques to prevent the platforms from being hijacked by hackers or foreign spies.
The common collaboration tools will need to adopt the standards within four years after NIST sets them. DHS would be tasked with conducting reviews of the collaboration suites for compliance. A timeframe for how often these assessments would occur is not provided but DHS will have to deliver findings to Congress within a month of administering them, according to the bill’s text.
The aftermath of the Microsoft email cyberattack led to several rounds of congressional scrutiny over the U.S. government’s heavy reliance on the tech giant’s products and services, which are used across Capitol Hill, federal agencies and the Defense Department. The company has secured billions of dollars worth of contracts with the government over the past decade, according to data from federal market intelligence provider GovTribe.
Federal login data has repeatedly been a target of malicious actors. The Federal Communications Commission in early March confirmed it was the target of a phishing scheme in which hackers built a cloned version of an agency verification site to siphon staff login credentials. The State Department also recently warned current and former employees to be cautious of a fraudulent scheme targeting workers’ payroll accounts.