[ISN] Lawmaker: Extend Law For Federal Computer Security Tests

From: InfoSec News (isnat_private)
Date: Wed Mar 06 2002 - 00:28:34 PST

  • Next message: InfoSec News: "[ISN] Worm set for file-eating binge"

    By Brian Krebs,
    Tuesday, March 5, 2002; 6:15 PM
    Rep. Tom Davis, R-Va., introduced legislation today to extend the life
    of a law that has shown just how vulnerable government agency networks
    are to hacker attacks.
    Davis' bill would permanently reauthorize the Government Information
    Security Reform Act (GISRA) of 2000, a statute that requires agencies
    to conduct annual security assessments and penetration tests on their
    non-classified information systems.
    President Clinton signed the measure into law in October 2000 as part
    of the Defense Department appropriations package for 2001, As such,
    the law would expire on Nov. 29, 2002.
    "We cannot afford to delay enactment of this legislation," said Davis,
    who chairs the House Government Reform Subcommittee on Technology and
    Procurement Policy. "At a time when uncertainty threatens confidence
    in our nation's preparedness, the federal government must make
    information security a priority."
    Under GISRA, agencies are graded on the results of penetration testing
    and overall security. In last year's round of penetration tests,
    nearly all federal agencies earned a grade of "D" or lower for
    computer security.
    The new bill would add teeth to the security tests by forcing federal
    agencies to adopt minimum computer security standards as established
    by the National Institute of Standards and Technology (NIST).
    More specifically, the legislation would no longer allow agencies to
    seek waivers of the NIST standards, as permitted under the Computer
    Security Act of 1987. Rather, the bill would require the Office of
    Management and Budget to make those minimum standards compulsory and
    The OMB has said it plans to begin tying each agency's computer
    security report card to its annual budget request by cutting funds for
    IT projects that continually fail to meet minimum security standards.
    Davis introduced his bill in advance of a hearing on the lessons
    learned from GISRA, scheduled for Wednesday in the House Government
    Reform Subcommittee on Government Efficiency, Financial Management,
    and Intergovernmental Relations. The chair of that subcommittee, Rep.  
    Stephen Horn, R-Calif., is the lead co-sponsor of Davis' bill.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 03:07:31 PST