Lawmakers want to recharge FISMA

OMB seeks more guidelines from NIST to help federal info security evolve

Lawmakers have introduced bills that would amend the Federal Information Security Management Act  to improve security, despite the insistence of Office of Management and Budget officials that no additional legislation is necessary.

Karen Evans, OMB’s administrator for e-government and information technology, testified June 7 that FISMA did not require additional legislation, but she said updated guidance from the National Institute of Standards and Technology would help agencies meet the act’s goals.

Evans told members of two subcommittees of the House Oversight and Government Reform Committee that agencies need to do more than fill out paperwork.

But at least one senator wasn’t willing to wait for the NIST guidance. The day of the House hearing, Sen. Norm Coleman (R-Minn.) introduced a bill to amend FISMA, giving OMB more power to define information security standards and expand the definition of sensitive and personally identifiable information.

“This is about government accountability and our responsibility to protect the integrity of the public’s information and not put our citizens at risk of identity theft,” Coleman said in a statement.

In his bill, the definition of sensitive personal information would expand beyond name, Social Security number, date and place of birth, and biometric records to include employment history, financial transactions and medical history.

Coleman’s legislation is a companion measure to a bill introduced by Rep. Tom Davis (R-Va.), the author of FISMA.

Davis’ bill, unveiled May 3, would require agencies to devise practices and standards for data breach notifications and would amend FISMA to give chief information officers authority to enforce IT security.
Agencies implement FISMA through OMB directives that require them to adopt risk-based information security management policies and procedures. Agencies receive graded scores in an annual report card format.

Government officials and industry leaders have long complained that FISMA compliance is a paperwork exercise focused on documentation rather than real-time security monitoring.

Evans testified that agencies can follow FISMA to the letter of the law and still be insecure — as some critics of OMB’s FISMA policies have charged.
Gregory Wilshusen, director of information security issues at the Government Accountability Office, agreed with Evans that uneven implementation and evaluation of information systems security could be FISMA’s greatest weakness.

Wilshusen added that the quality of agencies’ testing and evaluation methods also varied greatly, and he recommended creating a common framework to gather evidence more efficiently.

GAO is examining OMB’s performance measures and will release a report on FISMA later this year, he said.

Many agency officials agree that FISMA could be more effective. Vance Hitch, the Justice Department’s chief information officer, said he wanted Justice to move beyond identifying vulnerabilities and toward a more operational focus on information systems  security.
FISMA’s possibly amended futureSen. Norm Coleman (R-Minn.) and Rep. Tom Davis (R-Va.) introduced the Federal Agency Data Breach Protection Act to their houses of Congress June 7 and May 3, respectively. The bills would amend the Federal Information Security Management Act to authorize:
  • Office of Management and Budget officials to establish policies, procedures and standards for agencies to disclose data breaches.
  • Chief information officers to enforce FISMA standards. CIOs would also be required to develop and maintain an inventory of computers, laptop PCs and hardware containing sensitive personal information.
  • Chief human capital officers to account for all federal property assigned to employees at the end of their employment at a federal agency.
In addition, sensitive personally identifiable information would be redefined to include education, financial transactions, medical history, criminal or employment history, name, Social Security number, date and place of birth, mother’s maiden name and biometric records.

— Wade-Hahn Chan


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.