By Jason Miller
February 14, 2008
The Bush administration doesn't support legislation introduced late last
year that would modify the Federal Information Security Management Act,
an administration official testified today.
The bill, sponsored by Reps. William Clay (D-Mo.), Henry Waxman
(D-Calif.) and Edolphus Towns (D-N.Y.), would require agencies to
develop policies and plans to identify and protect personal information
and to develop requirements for reporting data breaches.
Karen Evans, the Office of Management and Budgets administrator for
e-government and information technology, told House members that current
activities being undertaken by agencies are closing the performance gaps
and the legislation could cause agencies some unplanned problems.
We want to make sure the changes are improving security, Evans said
after a hearing before the House Oversight and Government Reform
Subcommittee on Information Policy, Census and the National Archives and
the subcommittee on Government Management, Organization and Procurement.
We have the same goals, but need to work out the details.
Evans testified that the foundation of FISMA is sound, and the bill
could produce some unintended consequences that would seriously impact
established agency security and privacy practices while not necessarily
achieving the outcomes of improved privacy and security.
The measure follows OMBs 06-16 memo from June 2006 that requires
agencies to encrypt personal data using standards that would make the
information unusable by unauthorized persons. The legislation also would
mandate that agencies establish minimum requirements regarding the
protection of information maintained or transmitted by mobile digital
The bill also would require agencies to report data breaches in a timely
manner to OMB and the Homeland Security Departments U.S. Computer
Emergency Response Center, and it also addresses security for
Clay said at the hearing that although some real progress has been made
under FISMA, he is concerned whether the current requirements and OMB
policies are enough to protect agencies from the onslaught of attacks.
The bill would move us toward more rigid security requirements while
staying within the FISMA framework, he said.
Over the last five years, FISMA has been widely criticized because some
agencies are merely complying with its requirements and not actually
improving network security. Although this criticism as waned recently,
many say improvements to FISMA are necessary.
The key change we need is to prioritize actions in FISMA, said Alan
Paller, director of research for the Sans Institute. Agencies need to do
what is most important first. Industry finds out where the attacks are
coming from and fixes that area first and then worries about the rest.
Greg Wilshusen, the Government Accountability Offices director of
information security issues, said that despite agencies' efforts to
implement better IT security through FISMA, 20 of 24 major departments
had inadequate information security controls that were either
significantly deficient or had a material weakness.
Tim Bennett, president of the Cyber Security Industry Alliance, said
that while FISMA has led to some success, his group would like to see
eight changes through the Clays bill. Some of these include giving chief
information officers and chief information security officers the
authority they need to direct budget and personnel needs. He called for
continuous monitoring and assessments, improved performance measurement
and incentives so agencies make information security a higher priority.
Rep. Tom Davis (R-Va.), author of FISMA, said the government must be
more proactive instead of reactive with the goal of security, not
I think we can make FISMA better, he said. I hope we can agree on the
Subscribe to InfoSec News