Carper introduces bills to reform IT procurement, FISMA

A Senate subcommittee chairman introduced legislation on Tuesday that would alter how agencies ensure the security of their information technology systems and create a new office in the White House with the power to oversee federal IT security. The legislation would also reform the IT acquisition process through increased accountability and transparency.

Sen. Thomas Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Committee’s Federal Financial Management, Government Information, Federal Services, and International Security Subcommittee, introduced the legislation as two separate bills.

One of the measures focuses on information security and is designed to improve the Federal Information Security Management Act (FISMA) to deal with complaints that the law doesn’t do enough ensure federal IT security. Meanwhile, a separate bill would increase oversight of IT investments and reduce cost overruns.

The information security-focused bill would establish a new National Office for Cyberspace to be part of the Executive Office of the President. That office would coordinate efforts to secure the country’s information infrastructure and establish a comprehensive national cyberspace strategy, according to a draft of the bill. That office would also oversee policies, principles, standards, and guidelines on information security.

The director of the new cyberspace office would oversee governmentwide operational evaluations on a frequent and recurring basis to make sure that agencies monitor, detect, analyze, protect and report known vulnerabilities and attacks. The director would also have to submit a series of reports to Congress.

In addition, the Commerce Department would also establish standards and guidelines for government information systems that mirror, as much as possible, standards used for national security systems to enhance information security and information sharing, the draft said.

The legislation would also give chief information security officers the authority to ensure that agencies can -- on an automated and continuous basis -- detect, report and mitigate cyber incidents. Each agency would also have to put in place its own information security program that has been approved by the director of the new White House office, according to the draft. Agencies would also be responsible for annual reports and evaluations.

Meanwhile, the bill focused on IT procurement would establish a Web site that would include information on the cost, schedule, and performance of all major government IT investments. The site would also include trend information on IT projects and information on investments that have exceeded their costs, schedules, or performance by more than ten percent of original plans.

If an IT project is determined to have a cost, schedule, or performance variance overrun of at least 40 percent from original projections, the agency would be required to develop a “remedial action plan” to fix the problem. Failure to fix the problem by required deadline would mean “additional funds may not be obligated to support expenditures associated with the project” until the requirements have been fulfilled, the draft said.

In addition, the IT acquisition measure would require chief information officers to create a program to improve their agencies’ IT procurement processes, according to the draft. Those programs would include ways to measure performance in real time and a process through which the CIO could stop the funding of an IT investment if it is at risk of failure.


About the Author

Ben Bain is a reporter for Federal Computer Week.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Wed, Apr 29, 2009 M.H. DC

There is much in the current (and new I'm sure) FISMA guidelines that a CIO typically does not have control over, such as physical security, personnel security, enviornmental protections, etc. I'd like to see the administration provide guidance to those responsible for non-IT controls and mandate their compliance to FISMA standards. That will free up CIO's time in trying to pursuade them of their responsibilities in IT Security compliance.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above