Newly arriving from DHS: binding operational directives

The Federal Information Security Modernization Act of 2014 introduces a new term to the federal security management lexicon: binding operational directive. The text of the law defines binding operational directive as “a compulsory direction to an agency that is for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk.” While somewhat common in financial and military contexts – both the World Bank and the U.S. Department of Defense, for example, frequently use the term operational directive in official documents – its appearance in FISMA 2014 seems novel, at least for federal legislation. Its purpose here appears to be directly tied to the responsibility that the Act assigns to the Secretary of the Department of Homeland Security (DHS) to issue, in consultation with the Director of the Office of Management and Budget (OMB), mandatory instructions to agencies about implementing security measures and practices called for in FISMA or in policies, standards, or guidelines developed under FISMA’s authority. Binding operational directives will presumably supplement or replace the security-related memoranda regularly issued by OMB. Because DHS is an executive agency, not part of the Executive Office of the President like OMB, directives from DHS would presumably not be mandatory for peer agencies without the additional statutory authority that FISMA 2014 provides. Going forward under FISMA, operational information security directives issued by DHS will be compulsory for all federal executive agencies (Congress and the courts will remain outside FISMA’s scope), enabling DHS to more effectively perform its cybersecurity responsibilities under the law.