Lawmakers want to recharge FISMA

OMB seeks more guidelines from NIST to help federal info security evolve

Lawmakers have introduced bills that would amend the Federal Information Security Management Act  to improve security, despite the insistence of Office of Management and Budget officials that no additional legislation is necessary.

Karen Evans, OMB’s administrator for e-government and information technology, testified June 7 that FISMA did not require additional legislation, but she said updated guidance from the National Institute of Standards and Technology would help agencies meet the act’s goals.

Evans told members of two subcommittees of the House Oversight and Government Reform Committee that agencies need to do more than fill out paperwork.

But at least one senator wasn’t willing to wait for the NIST guidance. The day of the House hearing, Sen. Norm Coleman (R-Minn.) introduced a bill to amend FISMA, giving OMB more power to define information security standards and expand the definition of sensitive and personally identifiable information.

“This is about government accountability and our responsibility to protect the integrity of the public’s information and not put our citizens at risk of identity theft,” Coleman said in a statement.

In his bill, the definition of sensitive personal information would expand beyond name, Social Security number, date and place of birth, and biometric records to include employment history, financial transactions and medical history.

Coleman’s legislation is a companion measure to a bill introduced by Rep. Tom Davis (R-Va.), the author of FISMA.

Davis’ bill, unveiled May 3, would require agencies to devise practices and standards for data breach notifications and would amend FISMA to give chief information officers authority to enforce IT security.
 
Agencies implement FISMA through OMB directives that require them to adopt risk-based information security management policies and procedures. Agencies receive graded scores in an annual report card format.

Government officials and industry leaders have long complained that FISMA compliance is a paperwork exercise focused on documentation rather than real-time security monitoring.

Evans testified that agencies can follow FISMA to the letter of the law and still be insecure — as some critics of OMB’s FISMA policies have charged.
Gregory Wilshusen, director of information security issues at the Government Accountability Office, agreed with Evans that uneven implementation and evaluation of information systems security could be FISMA’s greatest weakness.

Wilshusen added that the quality of agencies’ testing and evaluation methods also varied greatly, and he recommended creating a common framework to gather evidence more efficiently.

GAO is examining OMB’s performance measures and will release a report on FISMA later this year, he said.

Many agency officials agree that FISMA could be more effective. Vance Hitch, the Justice Department’s chief information officer, said he wanted Justice to move beyond identifying vulnerabilities and toward a more operational focus on information systems  security.
FISMA’s possibly amended futureSen. Norm Coleman (R-Minn.) and Rep. Tom Davis (R-Va.) introduced the Federal Agency Data Breach Protection Act to their houses of Congress June 7 and May 3, respectively. The bills would amend the Federal Information Security Management Act to authorize:
  • Office of Management and Budget officials to establish policies, procedures and standards for agencies to disclose data breaches.
  • Chief information officers to enforce FISMA standards. CIOs would also be required to develop and maintain an inventory of computers, laptop PCs and hardware containing sensitive personal information.
  • Chief human capital officers to account for all federal property assigned to employees at the end of their employment at a federal agency.
In addition, sensitive personally identifiable information would be redefined to include education, financial transactions, medical history, criminal or employment history, name, Social Security number, date and place of birth, mother’s maiden name and biometric records.

— Wade-Hahn Chan

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above