OMB does not support bill to update FISMA

The Bush administration doesn't support legislation introduced late last year that would modify the Federal Information Security Management Act, an administration official testified today.

The bill, sponsored by Reps. William Clay (D-Mo.), Henry Waxman (D-Calif.) and Edolphus Towns (D-N.Y.), would require agencies to develop policies and plans to identify and protect personal information and to develop requirements for reporting data breaches.


Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology, told House members that current activities being undertaken by agencies are closing the performance gaps and the legislation could cause agencies some unplanned problems.

“We want to make sure the changes are improving security,” Evans said after a hearing before the House Oversight and Government Reform Subcommittee on Information Policy, Census and the National Archives and the subcommittee on Government Management, Organization and Procurement. “We have the same goals, but need to work out the details.”

Evans testified that the foundation of FISMA is sound, and the bill could produce some “unintended consequences” that would “seriously impact established agency security and privacy practices while not necessarily achieving the outcomes of improved privacy and security.”

The measure follows OMB’s 06-16 memo from June 2006 that requires agencies to encrypt personal data using standards that would make the information unusable by unauthorized persons. The legislation also would mandate that agencies establish “minimum requirements regarding the protection of information maintained or transmitted by mobile digital devices.”

The bill also would require agencies to report data breaches in a timely manner to OMB and the Homeland Security Department’s U.S. Computer Emergency Response Center, and it also addresses security for peer-to-peer networks.

Clay said at the hearing that although some real progress has been made under FISMA, he is concerned whether the current requirements and OMB policies are enough to protect agencies from the onslaught of attacks.

“The bill would move us toward more rigid security requirements while staying within the FISMA framework,” he said.

Over the last five years, FISMA has been widely criticized because some agencies are merely  complying with its requirements and not actually improving network security. Although this criticism as waned recently, many say im provements to FISMA are necessary.

“The key change we need is to prioritize actions in FISMA,” said Alan Paller, director of research for the Sans Institute. “Agencies need to do what is most important first. Industry finds out where the attacks are coming from and fixes that area first and then worries about the rest.”

Greg Wilshusen, the Government Accountability Office’s director of information security issues, said that despite agencies' efforts to implement better IT security through FISMA, 20 of 24 major departments had inadequate information security controls that were either significantly deficient or had a material weakness.

Tim Bennett, president of the Cyber Security Industry Alliance, said that while FISMA has led to some success, his group would like to see eight changes through the Clay’s bill. Some of these include giving chief information officers and chief information security officers the authority they need to direct  budget and personnel needs. He called for continuous monitoring and assessments, improved performance measurement and incentives so agencies make information security a higher priority.


Rep. Tom Davis (R-Va.), author of FISMA, said the government must be more proactive instead of reactive with the goal of security, not compliance.

“I think we can make FISMA better,” he said. “I hope we can agree on the right language.”

Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.