FISMA reform rides on defense spending's coattails

Passage aims for federal cybersecurity improvement through wholesale restructuring

The House has passed measures under the 2011 Defense Authorization spending bill to upgrade federal cybersecurity by improving the eight-year-old Federal Information Security Management Act (FISMA).

The cybersecurity-oriented amendment passed May 28 also pursues several other ways to streamline compliance and effective security.

Provisions that support FISMA reform include establishing a White House director for cyberspace and a federal cybersecurity practice board, both of which would help develop, update and implement federal cybersecurity guidelines and measures. That office and oversight board would also administer FISMA requirements and compliance, and be responsible for cybersecurity budgets and governmentwide coordination.

Although the White House cybersecurity office would have the authority to review civilian agencies’ information technology security budgets, it would be able only to make recommendations and could not issue orders. Also, the Defense Department and Central Intelligence Agency would be exempt from the White House office’s oversight.

Congressional moves to beef up federal cybersecurity come after years of complaints that FISMA’s goal of improving government network security is overshadowed by its paperwork-laden, procedural requirements.

In testimony in April on Capitol Hill, federal Chief Information Officer Vivek Kundra acknowledged that FISMA has lagged in truly improving federal IT security. “The FISMA measures reported on annually have led agencies to focus on compliance. However, we will never get to security through compliance alone,” he said.

Howard Schmidt, White House cybersecurity coordinator, said, “You can be compliant with FISMA but still not secure.” Schmidt added that he is working with Kundra and Office of Management and Budget Director Peter Orszag to make improvements. “We’re looking at turning that around so when you become secure, you become compliant,” Schmidt said at the U.S. Strategic Command Cyber Symposium in Omaha on May 28.

Reforming FISMA is just one of several parts of the defense spending bill amendment targeting security of government information systems.

Under the amendment, federal agencies would be required to start programs that continuously and automatically monitor their computer networks for cyber threats, and agencies would need to obtain annual, independent audits of in-house information security programs.

Government IT contractors and subcontractors would also face independent audits, and their contracts would include cybersecurity standards at inception. Those standards would be developed by the White House cybersecurity director’s office in conjunction with the National Institutes of Standards of Technology and the General Services Administration.

The amendment also calls for a White House office for the government’s chief technology officer.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.