Cybersecurity moving up on Congress' to-do list, staffer says

Senate policy analyst says momentum is growing for a comprehensive bill

Momentum is growing on Capitol Hill for passage of cybersecurity legislation that would update the Federal Information Security Management Act (FISMA) and set policy for protecting the nation’s critical infrastructure, a Senate staffer said today.

“Cybersecurity is an issue that members of Congress are focusing on,” said Deborah Parkinson, senior policy analyst on the Senate Homeland Security and Government Affairs Committee. “There is a large majority on the Hill who want to take action.”

Parkinson, speaking at the Digital Government Institute Cybersecurity Conference in Washington, said legislation could come from information security amendments included in the Defense Department Authorization Bill passed in the House this week, despite differences between the House legislation and a cybersecurity bill now being drafted in the Senate Homeland Security Committee.

She also responded to public concerns about leaked provisions of the committee’s bill that would give the president power to mandate emergency controls on private infrastructure in the event of an “imminent cyber threat.”

“We are not taking over the world; we are not taking over anybody’s networks,” Parkinson said of the bill, which is now in a staff draft and has not been released. She said the president’s authority would be strictly limited in scope and time, and would apply only in extreme situations. “The president needs to have some very limited authorization,” but “the broad vision of a president taking over networks is not a part of what we are doing.”

Related stories:

Consensus growing for reform of flawed FISMA

FISMA reform would elevate White House’s cyber authority

The legislation is being based on FISMA reform bills that have been introduced in recent congressional sessions by committee member Sen. Thomas R. Carper (D-Del.), which would put senior policy coordination and leadership in the White House, and keep it answerable to Congress. It also would change agency requirements for measuring and reporting on security, which has been condemned under the existing FISMA as an endless paper chase.

“We hear time and again that budgets are tied up in doing reports rather than actually doing things that would improve security,” Parkinson said.

Whether cybersecurity updates will remain in the final DOD authorization bill and, if so, what they would look like, still is up in the air.

“The amendments that passed in the house are different from the FISMA legislation that Senator Carper introduced, which is the basis of what we are working on in the committee,” Parkinson said. One concern is that the House language does not specify the role of the Homeland Security Department in protecting government networks. However, she said, “the fact that they moved on FISMA reform is a good thing, and we will work through the differences.”

Until those differences are worked out, changes already are underway in FISMA compliance. The Office of Management and Budget in April issued new requirements for FISMA reporting, focusing more on real-time monitoring of system status rather than static snapshots for certification and accreditation. DHS expects to have new metrics for reporting ready for agencies by Aug. 3. A preliminary framework has been developed that streamlines requirements and focuses on the impact of security controls, said Matt Coose, federal network security director in the DHS National Cybersecurity Division.

“The point is assessing the risk posture,” Coose said.

One focus of the new metrics is automation. As the ability and availability of automated tools for assessing impact and status improves, the compliance metrics will attempt to move agencies toward better use of them, Coose said. But reporting requirements will have to balance between using automated tools and gathering data manually.

“There are a limited set of things today that can be automated,” he said. The first iteration of compliance metrics will probably require about 20 percent automated and 80 percent manual data, but the goal is eventually to shift that to an 80-20 mix.

Former Air Force CIO John Gilligan, also speaking at the event, had some kind words for FISMA.

“I viewed it very positively” when it came out in 2002, he said. “It allowed greater focus on cybersecurity at a time when cybersecurity was not center-stage.”

He said that it was straightforward and well written, but that compliance requirements, which were worked out in standards and regulations after the law was passed, were ineffective and became burdensome. “The guidance was overwhelming for most organizations.”

He said the direction in which cybersecurity needs to move is toward more automation, use of standards such as the Security Compliance Automation Protocols developed by the National Institute of Standards and Technology and the NSA, and prioritizing with the use of tools such as the Consensus Audit Guidelines of 20 critical security controls.


About the Author

William Jackson is a Maryland-based freelance writer.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Fri, Jun 4, 2010

I wonder how much $$ the IA lobby has put in the kitty???

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group