Bill spells out security responsibilities
- By Diane Frank
- Mar 26, 2000
Agencies would be required to take full responsibility for the security
of their information systems under a bill approved by the Senate Governmental
Affairs Committee Thursday.
The Government Information Security Act is co-sponsored by committee chairman
Sen. Fred Thompson (R-Tenn.) and ranking member Sen. Joe Lieberman (D-Conn.).
GISA is designed "to delineate much more specifically the responsibilities"
for improving federal information security practices, Thompson said.
The responsibilities for agencies include:
* Making sure federal employees are properly trained in the technology and
policies of their agency.
* Developing and implementing information security policies, procedures
and controls based on the agency's level of risk.
* Ensuring the agency's information security plan is practiced throughout
the life cycle of each agency system.
* Creating a senior agency information security official who will report
to the chief information officer.
* Ensuring that the CIO works with other senior agency administration.
* Performing an annual independent evaluation of all security programs and
practices that the General Accounting Office will review and report to Congress.
The bill places oversight responsibility for government security under the
deputy director for management at the Office of Management and Budget. Thompson
and Lieberman want OMB to have responsibility for aspects of the national
security agencies as well, but they clearly defined the line where the secretary
of Defense and the director of Central Intelligence will still maintain
control and responsibility.
"We should be able to deal with both, and it should not be controversial,"
Lieberman said. "We have negotiated with some of the security agencies about
their concerns and have been able to accommodate the while maintaining the
concentration of responsibility at OMB."
The bill (S.1993) also picks up on several security initiatives the president
proposed in January in the National Plan for Information Systems Protection.
Key among these is providing authorization to agencies for the federal cyberservice
initiative, which will train and recruit information security personnel,