Cybersecurity moving up on Congress' to-do list, staffer says

Senate policy analyst says momentum is growing for a comprehensive bill

Momentum is growing on Capitol Hill for passage of cybersecurity legislation that would update the Federal Information Security Management Act (FISMA) and set policy for protecting the nation’s critical infrastructure, a Senate staffer said today.

“Cybersecurity is an issue that members of Congress are focusing on,” said Deborah Parkinson, senior policy analyst on the Senate Homeland Security and Government Affairs Committee. “There is a large majority on the Hill who want to take action.”

Parkinson, speaking at the Digital Government Institute Cybersecurity Conference in Washington, said legislation could come from information security amendments included in the Defense Department Authorization Bill passed in the House this week, despite differences between the House legislation and a cybersecurity bill now being drafted in the Senate Homeland Security Committee.

She also responded to public concerns about leaked provisions of the committee’s bill that would give the president power to mandate emergency controls on private infrastructure in the event of an “imminent cyber threat.”

“We are not taking over the world; we are not taking over anybody’s networks,” Parkinson said of the bill, which is now in a staff draft and has not been released. She said the president’s authority would be strictly limited in scope and time, and would apply only in extreme situations. “The president needs to have some very limited authorization,” but “the broad vision of a president taking over networks is not a part of what we are doing.”


Related stories:

Consensus growing for reform of flawed FISMA

FISMA reform would elevate White House’s cyber authority


The legislation is being based on FISMA reform bills that have been introduced in recent congressional sessions by committee member Sen. Thomas R. Carper (D-Del.), which would put senior policy coordination and leadership in the White House, and keep it answerable to Congress. It also would change agency requirements for measuring and reporting on security, which has been condemned under the existing FISMA as an endless paper chase.

“We hear time and again that budgets are tied up in doing reports rather than actually doing things that would improve security,” Parkinson said.

Whether cybersecurity updates will remain in the final DOD authorization bill and, if so, what they would look like, still is up in the air.

“The amendments that passed in the house are different from the FISMA legislation that Senator Carper introduced, which is the basis of what we are working on in the committee,” Parkinson said. One concern is that the House language does not specify the role of the Homeland Security Department in protecting government networks. However, she said, “the fact that they moved on FISMA reform is a good thing, and we will work through the differences.”

Until those differences are worked out, changes already are underway in FISMA compliance. The Office of Management and Budget in April issued new requirements for FISMA reporting, focusing more on real-time monitoring of system status rather than static snapshots for certification and accreditation. DHS expects to have new metrics for reporting ready for agencies by Aug. 3. A preliminary framework has been developed that streamlines requirements and focuses on the impact of security controls, said Matt Coose, federal network security director in the DHS National Cybersecurity Division.

“The point is assessing the risk posture,” Coose said.

One focus of the new metrics is automation. As the ability and availability of automated tools for assessing impact and status improves, the compliance metrics will attempt to move agencies toward better use of them, Coose said. But reporting requirements will have to balance between using automated tools and gathering data manually.

“There are a limited set of things today that can be automated,” he said. The first iteration of compliance metrics will probably require about 20 percent automated and 80 percent manual data, but the goal is eventually to shift that to an 80-20 mix.

Former Air Force CIO John Gilligan, also speaking at the event, had some kind words for FISMA.

“I viewed it very positively” when it came out in 2002, he said. “It allowed greater focus on cybersecurity at a time when cybersecurity was not center-stage.”

He said that it was straightforward and well written, but that compliance requirements, which were worked out in standards and regulations after the law was passed, were ineffective and became burdensome. “The guidance was overwhelming for most organizations.”

He said the direction in which cybersecurity needs to move is toward more automation, use of standards such as the Security Compliance Automation Protocols developed by the National Institute of Standards and Technology and the NSA, and prioritizing with the use of tools such as the Consensus Audit Guidelines of 20 critical security controls.

 

About the Author

William Jackson is a Maryland-based freelance writer.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Fri, Jun 4, 2010

I wonder how much $$ the IA lobby has put in the kitty???

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group