Senate panel rejects weakening FISMA bill

The Senate Homeland Security and Governmental Affairs Committee today considered a bill that would raise the bar for agencies to prove that they adequately protect sensitive information, and rejected an amendment that would weaken the measure.

Under the provisions of the Federal Information Security Management Act of 2008, S. 3474, agencies would implement security measures to fit the risk and degree of harm that would result from the loss of an agency's information, or from unauthorized access to that information.

The bill would provide for the Homeland Security Department to conduct penetration testing of civilian agencies’ systems and for Congress to evaluate agencies’ information security plans.

The legislation would also establish a Chief Information Security Officers Council so agency CISOs could share best practices. The measure also would enlarge the authority of agency CISOs to enforce compliance in consultation and collaboration with the chief information officer. Under current law, the CISO’s job is to assure compliance.

The committee will vote on the bill later today or on Sept. 18, said Sen. Tom Carper (D-Del.), chairman of the committee’s Federal Financial Management, Government Information, Federal Services and International Security Subcommittee. He introduced the measure earlier this month.

The measure would amend the original FISMA legislation, which outlined compliance activities for agencies to meet each year. However, many agencies have turned FISMA compliance into a paperwork exercise, Carper said.

“Measuring an agency’s compliance does not stop the countless examples of data loss due to negligence or willful intent,” he said.

The committee rejected an amendment by Sen. Tom Coburn (R-Okla.), ranking member of the subcommittee, to strike the establishment of the CISO council from the bill. He noted that the CIO Council already has information security responsibilities and said such a new council would cost money.

“I don’t want to create another layer of bureaucracy that would make us more inefficient,” Coburn said.

Carper said CIOs primarily develop and oversee policy, but the CISO handles the daily information security activities. He suggested that a CISO council could have a sunset date of two or three years. If the council demonstrated benefits, it could be extended, Carper said.

Also, the bill would standardize information security audits performed by agency inspectors general and require that DHS report to Congress on the government’s ability to safeguard sensitive information.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.