By Daniel Pulliam
dpulliam at govexec.com
June 12, 2006
Recently reported breaches compromising sensitive data held by four
agencies have officials looking at ways to improve federal information
Security experts and former government officials started pointing
fingers at alleged weaknesses in the 2002 Federal Information Security
Act earlier this year. In recent interviews, some said they believe
that the incidents could lead to changes in the law.
Alan Paller, director of research at the SANS Institute in Bethesda,
Md., a nonprofit cybersecurity research organization, called the
compromise of personnel records of 1,500 Energy Department employees
revealed last week, combined with last month's theft of personal data
on 26.5 million people from a Veterans Affairs Department employee's
home, "an indictment of FISMA."
In two unrelated incidents, laptop computers containing the personal
information -- including Social Security numbers, birthdates and names
-- of about 200 employees at the Social Security Administration and
the Internal Revenue Service were lost recently.
FISMA requires agencies to identity and categorize risks to their
information technology systems and then implement security controls
based on those risks.
Paller said agencies are using their technology security funds to pay
independent contractors to write FISMA-required reports as part of the
certification and accreditation process, leaving little money for
implementing actual security measures. A certification and
accreditation process is necessary, but it should be continuous and
automated, Paller said.
"There was a thought that to check security, you had to check with
people and talk to people, but because most attacks are done by
systems, you need systems to check the security," Paller said. "The VA
spent tens of millions of dollars certifying and accrediting these
systems, and they are not secure."
A VA spokesman said that the agency received $77 million for
information security in fiscal 2006 and $78 million has been proposed
for fiscal 2007.
Paller and Bruce Brody, vice president for information security at the
Reston, Va-based market research firm INPUT and associate deputy
assistant secretary for cyber and information security at the VA from
2001 to 2004, have been critical of FISMA in the past, and both met
with staffers from the House Government Reform Committee recently to
discuss possible changes to the law.
Brody, who also served as chief information security officer at the
Energy Department until December 2005, said that the Energy security
breach occurred during his tenure at the agency, but within the
National Nuclear Security Administration, which is autonomous from the
department under the National Nuclear Security Act.
Paller said he believes that effective reform is possible, but Brody
said the policy and legislative communities are unlikely to get the
changes right unless information security practitioners are involved.
Clay Johnson, the Office of Management and Budget's deputy director
for management, said last week OMB has 95 percent of the laws and
policies it needs to hold agencies accountable for locking down their
information systems, but "extra teeth" may be needed. He did not
specifically refer to FISMA.
Johnson said in testimony before the House Government Reform Committee
that the administration believes it generally has good policies and
laws for protecting data, but is "prepared to take more action as
In a request for comment on the matter, OMB gave no indication that
changes to FISMA are being considered.
OMB spokeswoman Andrea Wuebker said that FISMA was established to
ensure that agencies meet consistent standards for security
requirements for information systems. Agencies are responsible for
ensuring that they are FISMA compliant and that their employees are
trained to work with tough security measures, Wuebker said.
"Sound standards and policies are in place, and OMB works with
agencies to make sure practices match these policies," Wuebker said.
=A92006 by National Journal Group Inc. All rights reserved.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.