CISOs ponder new FISMA requirements
A bill that would amend the Federal Information Security Management Act
(FISMA) could pass during the next session of Congress, and chief
information security officers are wondering what more FISMA
requirements might mean for them.
Legislation to amend the
current FISMA requirements cleared the Senate Homeland Security and
Governmental Affairs Committee earlier this year.
The bill would change how agencies’ information security practices are evaluated and would redefine the role of the CISO.
participating in a panel discussion at a Government Technology Research
Alliance conference today in Hershey, Pa., said changes under the bill
- Requiring an annual independent audit rather than an annual evaluation.
- Increasing CISOs' responsibilities.
- Requiring operational evaluations.
- Establishing a CISO council.
- Mandating standard governmentwide contract language.
- Requiring the Homeland Security Department to present an annual report to Congress.
The CISOs said one provision with potential difficulties would require
them to direct and manage information technology security programs and
functions in all subordinate agency organizations, including
components, bureaus and offices.
a large department, I don’t see how that would be effective or doable,”
said Richard Prentiss, CISO at the Treasury Department’s Office of
He said different components’ networks in
his department have different security rules, and it would be difficult
to tell all component agencies how to handle subordinate network
He added that component agencies “do it differently.
The outcome is the same, but we do it based upon the efficiencies that
we have within our organization.”
Marian Cody, CISO at the
Environmental Protection Agency, said the legislative language that
would define the CISO’s authority over component offices needs
clarifying. Cody said a provision that would give the CISO authority to
block an agency's information system from accessing the network if the
system has been compromised or doesn't meet security policies —
essentially disconnecting a system — would be difficult to implement.
least at EPA, this really goes against the culture of the agency. This
is big time,” she said. “There’s going to be lots of discussion around
this and what this means and how to scope this appropriately to meet
the agency’s culture and willingness to cooperate.”
also discussed the bill's requirements for a series of additional
evaluations, and requirements that annual evaluations of agencies’
information security be audits.
“The theme of this entire act is
audit, audit, audit and then audit some more,” Cody said. The bill
“actually turns the CISO…into an auditor, and at EPA, what we’ve tried
to do is exactly not that.… So we really don’t want to become yet
Patrick Howard, CISO at the Nuclear Regulatory
Commission, said compliance is measured differently by various
agencies, and the bill aims to provide some consistency across the
“There is going to be a need for some implementing
instructions from the Office of Management and Budget, the [U.S]
Computer Emergency Readiness Team, the National Institute of Standards
and Technology, [and] others in order for us to really comply," he
said. "They need to really help us define what the requirements are.”
Ben Bain is a reporter for Federal Computer Week.