Senate panel rejects weakening FISMA bill

The Senate Homeland Security and Governmental Affairs Committee today considered a bill that would raise the bar for agencies to prove that they adequately protect sensitive information, and rejected an amendment that would weaken the measure.

Under the provisions of the Federal Information Security Management Act of 2008, S. 3474, agencies would implement security measures to fit the risk and degree of harm that would result from the loss of an agency's information, or from unauthorized access to that information.

The bill would provide for the Homeland Security Department to conduct penetration testing of civilian agencies’ systems and for Congress to evaluate agencies’ information security plans.

The legislation would also establish a Chief Information Security Officers Council so agency CISOs could share best practices. The measure also would enlarge the authority of agency CISOs to enforce compliance in consultation and collaboration with the chief information officer. Under current law, the CISO’s job is to assure compliance.

The committee will vote on the bill later today or on Sept. 18, said Sen. Tom Carper (D-Del.), chairman of the committee’s Federal Financial Management, Government Information, Federal Services and International Security Subcommittee. He introduced the measure earlier this month.

The measure would amend the original FISMA legislation, which outlined compliance activities for agencies to meet each year. However, many agencies have turned FISMA compliance into a paperwork exercise, Carper said.

“Measuring an agency’s compliance does not stop the countless examples of data loss due to negligence or willful intent,” he said.

The committee rejected an amendment by Sen. Tom Coburn (R-Okla.), ranking member of the subcommittee, to strike the establishment of the CISO council from the bill. He noted that the CIO Council already has information security responsibilities and said such a new council would cost money.

“I don’t want to create another layer of bureaucracy that would make us more inefficient,” Coburn said.

Carper said CIOs primarily develop and oversee policy, but the CISO handles the daily information security activities. He suggested that a CISO council could have a sunset date of two or three years. If the council demonstrated benefits, it could be extended, Carper said.

Also, the bill would standardize information security audits performed by agency inspectors general and require that DHS report to Congress on the government’s ability to safeguard sensitive information.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.