Senate panel rejects weakening FISMA bill

The Senate Homeland Security and Governmental Affairs Committee today considered a bill that would raise the bar for agencies to prove that they adequately protect sensitive information, and rejected an amendment that would weaken the measure.

Under the provisions of the Federal Information Security Management Act of 2008, S. 3474, agencies would implement security measures to fit the risk and degree of harm that would result from the loss of an agency's information, or from unauthorized access to that information.

The bill would provide for the Homeland Security Department to conduct penetration testing of civilian agencies’ systems and for Congress to evaluate agencies’ information security plans.

The legislation would also establish a Chief Information Security Officers Council so agency CISOs could share best practices. The measure also would enlarge the authority of agency CISOs to enforce compliance in consultation and collaboration with the chief information officer. Under current law, the CISO’s job is to assure compliance.

The committee will vote on the bill later today or on Sept. 18, said Sen. Tom Carper (D-Del.), chairman of the committee’s Federal Financial Management, Government Information, Federal Services and International Security Subcommittee. He introduced the measure earlier this month.

The measure would amend the original FISMA legislation, which outlined compliance activities for agencies to meet each year. However, many agencies have turned FISMA compliance into a paperwork exercise, Carper said.

“Measuring an agency’s compliance does not stop the countless examples of data loss due to negligence or willful intent,” he said.

The committee rejected an amendment by Sen. Tom Coburn (R-Okla.), ranking member of the subcommittee, to strike the establishment of the CISO council from the bill. He noted that the CIO Council already has information security responsibilities and said such a new council would cost money.

“I don’t want to create another layer of bureaucracy that would make us more inefficient,” Coburn said.

Carper said CIOs primarily develop and oversee policy, but the CISO handles the daily information security activities. He suggested that a CISO council could have a sunset date of two or three years. If the council demonstrated benefits, it could be extended, Carper said.

Also, the bill would standardize information security audits performed by agency inspectors general and require that DHS report to Congress on the government’s ability to safeguard sensitive information.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.