Lawmakers want to recharge FISMA

OMB seeks more guidelines from NIST to help federal info security evolve

Lawmakers have introduced bills that would amend the Federal Information Security Management Act  to improve security, despite the insistence of Office of Management and Budget officials that no additional legislation is necessary.

Karen Evans, OMB’s administrator for e-government and information technology, testified June 7 that FISMA did not require additional legislation, but she said updated guidance from the National Institute of Standards and Technology would help agencies meet the act’s goals.

Evans told members of two subcommittees of the House Oversight and Government Reform Committee that agencies need to do more than fill out paperwork.

But at least one senator wasn’t willing to wait for the NIST guidance. The day of the House hearing, Sen. Norm Coleman (R-Minn.) introduced a bill to amend FISMA, giving OMB more power to define information security standards and expand the definition of sensitive and personally identifiable information.

“This is about government accountability and our responsibility to protect the integrity of the public’s information and not put our citizens at risk of identity theft,” Coleman said in a statement.

In his bill, the definition of sensitive personal information would expand beyond name, Social Security number, date and place of birth, and biometric records to include employment history, financial transactions and medical history.

Coleman’s legislation is a companion measure to a bill introduced by Rep. Tom Davis (R-Va.), the author of FISMA.

Davis’ bill, unveiled May 3, would require agencies to devise practices and standards for data breach notifications and would amend FISMA to give chief information officers authority to enforce IT security.
 
Agencies implement FISMA through OMB directives that require them to adopt risk-based information security management policies and procedures. Agencies receive graded scores in an annual report card format.

Government officials and industry leaders have long complained that FISMA compliance is a paperwork exercise focused on documentation rather than real-time security monitoring.

Evans testified that agencies can follow FISMA to the letter of the law and still be insecure — as some critics of OMB’s FISMA policies have charged.
Gregory Wilshusen, director of information security issues at the Government Accountability Office, agreed with Evans that uneven implementation and evaluation of information systems security could be FISMA’s greatest weakness.

Wilshusen added that the quality of agencies’ testing and evaluation methods also varied greatly, and he recommended creating a common framework to gather evidence more efficiently.

GAO is examining OMB’s performance measures and will release a report on FISMA later this year, he said.

Many agency officials agree that FISMA could be more effective. Vance Hitch, the Justice Department’s chief information officer, said he wanted Justice to move beyond identifying vulnerabilities and toward a more operational focus on information systems  security.
FISMA’s possibly amended futureSen. Norm Coleman (R-Minn.) and Rep. Tom Davis (R-Va.) introduced the Federal Agency Data Breach Protection Act to their houses of Congress June 7 and May 3, respectively. The bills would amend the Federal Information Security Management Act to authorize:
  • Office of Management and Budget officials to establish policies, procedures and standards for agencies to disclose data breaches.
  • Chief information officers to enforce FISMA standards. CIOs would also be required to develop and maintain an inventory of computers, laptop PCs and hardware containing sensitive personal information.
  • Chief human capital officers to account for all federal property assigned to employees at the end of their employment at a federal agency.
In addition, sensitive personally identifiable information would be redefined to include education, financial transactions, medical history, criminal or employment history, name, Social Security number, date and place of birth, mother’s maiden name and biometric records.

— Wade-Hahn Chan

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • Login.gov moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group