When you analyze the process undertaken to appoint the newly founded cyber security coordinator position you find it no exception. There has been, and will continue to be, debate over the ability of the latest appointee (Howard Schmidt) to move forward a national cyber security agenda without a significant budget authority. I know ...I know...it sounds like the White House is repeating one of the fundamental mistakes that the information security professionals in industry have seen time and again - no authority to enforce policy. Oh, and not to mention that within the first weeks of his appointment Schmidt was hit with the announcement of the Google vs. China situation. Between the lack of budget authority and the constant state of crisis, this program may find itself in a place where it is hard to imagine much progress.

However, with the passing of HR 4061, better known as the Cyber security Enhancement Act, the House of Representatives has taken the latest step in a march toward meaningful cyber security enhancements for the U.S. government and its people. Building on the appointments and policy statements of the Obama administration with legislation designed to build the information security professional communities through research and grants, as well as empowering the National Institute of Standards and Technology to build internationally recognized standards, has the potential to provide some much needed support to the program.

When I step back and look at the broad view, I can see that these are the kinds of steps that most information security professionals would recommend an organization take to build a strong security program. Appoint a leader > develop policy > empower business units to set standards > create a security awareness program, etc. Enforcement and funding are not small hurdles, but with each small step forward it does seem that the folks in Washington are making some progress and I like it!