Senate panel rejects weakening FISMA bill

The Senate Homeland Security and Governmental Affairs Committee today considered a bill that would raise the bar for agencies to prove that they adequately protect sensitive information, and rejected an amendment that would weaken the measure.

Under the provisions of the Federal Information Security Management Act of 2008, S. 3474, agencies would implement security measures to fit the risk and degree of harm that would result from the loss of an agency's information, or from unauthorized access to that information.

The bill would provide for the Homeland Security Department to conduct penetration testing of civilian agencies’ systems and for Congress to evaluate agencies’ information security plans.

The legislation would also establish a Chief Information Security Officers Council so agency CISOs could share best practices. The measure also would enlarge the authority of agency CISOs to enforce compliance in consultation and collaboration with the chief information officer. Under current law, the CISO’s job is to assure compliance.

The committee will vote on the bill later today or on Sept. 18, said Sen. Tom Carper (D-Del.), chairman of the committee’s Federal Financial Management, Government Information, Federal Services and International Security Subcommittee. He introduced the measure earlier this month.

The measure would amend the original FISMA legislation, which outlined compliance activities for agencies to meet each year. However, many agencies have turned FISMA compliance into a paperwork exercise, Carper said.

“Measuring an agency’s compliance does not stop the countless examples of data loss due to negligence or willful intent,” he said.

The committee rejected an amendment by Sen. Tom Coburn (R-Okla.), ranking member of the subcommittee, to strike the establishment of the CISO council from the bill. He noted that the CIO Council already has information security responsibilities and said such a new council would cost money.

“I don’t want to create another layer of bureaucracy that would make us more inefficient,” Coburn said.

Carper said CIOs primarily develop and oversee policy, but the CISO handles the daily information security activities. He suggested that a CISO council could have a sunset date of two or three years. If the council demonstrated benefits, it could be extended, Carper said.

Also, the bill would standardize information security audits performed by agency inspectors general and require that DHS report to Congress on the government’s ability to safeguard sensitive information.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.