Federal, business officials cautiously praise Security Act
- By Diane Frank
- Mar 02, 2000
A Senate bill that will hold agencies responsible for the management of
their information security practices drew praise from government and private-sector
officials yesterday, but they emphasized the need for specific security
standards and controls.
The Government Information Security Act (S. 1993) is designed to strengthen
agencies' accountability in security practices and management, and not just
It creates governmentwide goals for information security by:
* Bringing control of national security and civilian information management
under the Office of Management and Budget.
* Requiring an annual independent audit of agency security programs
and practices to reinforce accountability.
* Emphasizing the need for security awareness and training for all federal
Past legislation has left it to agencies to determine the level of security
to implement, but this approach is not working, said Jack Brock, director
of governmentwide and defense information systems at the General Accounting
Office's Accounting and Information Management Division, in testimony before
the Senate Governmental Affairs Committee.
That's apparent in the number of GAO audits that have found the same
security weaknesses at every agency reviewed, he said.
"After doing many of these [audits] and doing the same report over and
over, we said, "There has to be a better way,'" Brock said.
In response to GAO reports, agencies have fixed the specific weaknesses
mentioned while not addressing the underlying management issues. The bill
is an effort to hold agencies accountable for fixing these issues, but more
specific guidance also is necessary, Brock said.
GAO suggested, and the committee members agreed, that the bill should
establish a ranking system classifying the levels of sensitivity and risk
to agency information systems. GAO also recommended that the ranking system
should include minimum-security requirements for each level.
Brock also suggested creating a position, such as national chief information
officer, that would provide "higher visibility and more effective central
leadership of information security," he said. James Adams, chief executive
officer of Infrastructure Defense Inc., supported this idea.
NASA Inspector General Roberta Gross said that if the bill is to fulfill
its promise, Congress must also do something to strengthen CIO authority
within agencies. Agency CIOs are often seen as "paper tigers" by inspector
generals, without the leverage and control of resources necessary to develop,
implement and evaluate their agencies' security programs, she said.