Davis reinforces security rules

OMB GISRA report

Rep. Tom Davis (R-Va.) introduced a bill March 6 that would update and extend the Government Information Security Reform Act, as members of Congress expressed concern over current legislation.

Besides permanently reauthorizing GISRA, which is due to expire Nov. 29, Davis' Federal Information Security Management Act (FISMA) requires agencies to follow security standards and tools developed by the National Institute of Standards and Technology. Under current legislation, those standards are simply recommendations.

"In general, FISMA streamlines GISRA's provisions and requires that agencies utilize information security best practices that will ensure the integrity, confidentiality and availability of federal information systems," Davis testified before the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee.

Those best practices would include the security assessment questionnaire developed by NIST last year. Many agencies are using that tool already, and this month NIST will release the first automated version of the questionnaire, according to Joan Hash, manager of the NIST Computer Security Division's security management and guidance group.

The bill also addresses one of the primary concerns of congressional officials: reporting requirements.

GISRA's primary provision is the annual security assessments that every agency chief information officer and inspector general must turn in to the Office of Management and Budget. At the hearing, held by subcommittee chairman Rep. Stephen Horn (R-Calif.), several officials raised concerns about GISRA reporting requirements. Part of the reason for the short sunset date on GISRA was to give Congress time to examine the bill, which passed at the end of the session in 2000 with very little discussion. A number of problems already have become apparent, said Rep. Janice Schakowsky (D-Ill.), ranking member on the subcommittee.

One main problem is the fact that GISRA does not require agencies to provide Congress with their entire report, only a summary that goes through OMB, she said. OMB released the first of these reports last month. The fact that Congress sees only this summary means members did not get to see any of the agencies' corrective action plans, leaving them in the dark about the status of agencies' security, she said.

The General Accounting Office is reviewing the implementation of GISRA for the subcommittee. GAO officials also are concerned about the lack of access to full reports and action plans, because it limits Congress' ability to oversee agencies' compliance and hampers current-year budget deliberations, said Robert Dacey, director of information security issues at GAO.

Davis' bill addresses this issue by requiring OMB to include in its annual report to Congress not only the summary of findings and deficiencies, but also "planned remedial actions to address such deficiencies."

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.