Lawmakers want to recharge FISMA

OMB seeks more guidelines from NIST to help federal info security evolve

Lawmakers have introduced bills that would amend the Federal Information Security Management Act  to improve security, despite the insistence of Office of Management and Budget officials that no additional legislation is necessary.

Karen Evans, OMB’s administrator for e-government and information technology, testified June 7 that FISMA did not require additional legislation, but she said updated guidance from the National Institute of Standards and Technology would help agencies meet the act’s goals.

Evans told members of two subcommittees of the House Oversight and Government Reform Committee that agencies need to do more than fill out paperwork.

But at least one senator wasn’t willing to wait for the NIST guidance. The day of the House hearing, Sen. Norm Coleman (R-Minn.) introduced a bill to amend FISMA, giving OMB more power to define information security standards and expand the definition of sensitive and personally identifiable information.

“This is about government accountability and our responsibility to protect the integrity of the public’s information and not put our citizens at risk of identity theft,” Coleman said in a statement.

In his bill, the definition of sensitive personal information would expand beyond name, Social Security number, date and place of birth, and biometric records to include employment history, financial transactions and medical history.

Coleman’s legislation is a companion measure to a bill introduced by Rep. Tom Davis (R-Va.), the author of FISMA.

Davis’ bill, unveiled May 3, would require agencies to devise practices and standards for data breach notifications and would amend FISMA to give chief information officers authority to enforce IT security.
Agencies implement FISMA through OMB directives that require them to adopt risk-based information security management policies and procedures. Agencies receive graded scores in an annual report card format.

Government officials and industry leaders have long complained that FISMA compliance is a paperwork exercise focused on documentation rather than real-time security monitoring.

Evans testified that agencies can follow FISMA to the letter of the law and still be insecure — as some critics of OMB’s FISMA policies have charged.
Gregory Wilshusen, director of information security issues at the Government Accountability Office, agreed with Evans that uneven implementation and evaluation of information systems security could be FISMA’s greatest weakness.

Wilshusen added that the quality of agencies’ testing and evaluation methods also varied greatly, and he recommended creating a common framework to gather evidence more efficiently.

GAO is examining OMB’s performance measures and will release a report on FISMA later this year, he said.

Many agency officials agree that FISMA could be more effective. Vance Hitch, the Justice Department’s chief information officer, said he wanted Justice to move beyond identifying vulnerabilities and toward a more operational focus on information systems  security.
FISMA’s possibly amended futureSen. Norm Coleman (R-Minn.) and Rep. Tom Davis (R-Va.) introduced the Federal Agency Data Breach Protection Act to their houses of Congress June 7 and May 3, respectively. The bills would amend the Federal Information Security Management Act to authorize:
  • Office of Management and Budget officials to establish policies, procedures and standards for agencies to disclose data breaches.
  • Chief information officers to enforce FISMA standards. CIOs would also be required to develop and maintain an inventory of computers, laptop PCs and hardware containing sensitive personal information.
  • Chief human capital officers to account for all federal property assigned to employees at the end of their employment at a federal agency.
In addition, sensitive personally identifiable information would be redefined to include education, financial transactions, medical history, criminal or employment history, name, Social Security number, date and place of birth, mother’s maiden name and biometric records.

— Wade-Hahn Chan

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • Shutterstock imag (by Benjamin Haas): cyber coded team.

    What keeps govtech leaders up at night?

    A joint survey by Grant Thornton and PSC found that IT stakeholders in government fear their own employees and outdated systems the most when it comes to cybersecurity.

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group