Carper introduces bills to reform IT procurement, FISMA

A Senate subcommittee chairman introduced legislation on Tuesday that would alter how agencies ensure the security of their information technology systems and create a new office in the White House with the power to oversee federal IT security. The legislation would also reform the IT acquisition process through increased accountability and transparency.

Sen. Thomas Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Committee’s Federal Financial Management, Government Information, Federal Services, and International Security Subcommittee, introduced the legislation as two separate bills.

One of the measures focuses on information security and is designed to improve the Federal Information Security Management Act (FISMA) to deal with complaints that the law doesn’t do enough ensure federal IT security. Meanwhile, a separate bill would increase oversight of IT investments and reduce cost overruns.

The information security-focused bill would establish a new National Office for Cyberspace to be part of the Executive Office of the President. That office would coordinate efforts to secure the country’s information infrastructure and establish a comprehensive national cyberspace strategy, according to a draft of the bill. That office would also oversee policies, principles, standards, and guidelines on information security.

The director of the new cyberspace office would oversee governmentwide operational evaluations on a frequent and recurring basis to make sure that agencies monitor, detect, analyze, protect and report known vulnerabilities and attacks. The director would also have to submit a series of reports to Congress.

In addition, the Commerce Department would also establish standards and guidelines for government information systems that mirror, as much as possible, standards used for national security systems to enhance information security and information sharing, the draft said.

The legislation would also give chief information security officers the authority to ensure that agencies can -- on an automated and continuous basis -- detect, report and mitigate cyber incidents. Each agency would also have to put in place its own information security program that has been approved by the director of the new White House office, according to the draft. Agencies would also be responsible for annual reports and evaluations.

Meanwhile, the bill focused on IT procurement would establish a Web site that would include information on the cost, schedule, and performance of all major government IT investments. The site would also include trend information on IT projects and information on investments that have exceeded their costs, schedules, or performance by more than ten percent of original plans.

If an IT project is determined to have a cost, schedule, or performance variance overrun of at least 40 percent from original projections, the agency would be required to develop a “remedial action plan” to fix the problem. Failure to fix the problem by required deadline would mean “additional funds may not be obligated to support expenditures associated with the project” until the requirements have been fulfilled, the draft said.

In addition, the IT acquisition measure would require chief information officers to create a program to improve their agencies’ IT procurement processes, according to the draft. Those programs would include ways to measure performance in real time and a process through which the CIO could stop the funding of an IT investment if it is at risk of failure.


About the Author

Ben Bain is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Wed, Apr 29, 2009 M.H. DC

There is much in the current (and new I'm sure) FISMA guidelines that a CIO typically does not have control over, such as physical security, personnel security, enviornmental protections, etc. I'd like to see the administration provide guidance to those responsible for non-IT controls and mandate their compliance to FISMA standards. That will free up CIO's time in trying to pursuade them of their responsibilities in IT Security compliance.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group