[ISN] Davis reinforces security rules

From: InfoSec News (isnat_private)
Date: Thu Mar 07 2002 - 23:51:47 PST

  • Next message: InfoSec News: "RE: [ISN] Digital Destruction Was Worst Imaginable"

    By Diane Frank 
    March 7, 2002
    Rep. Tom Davis (R-Va.) introduced a bill March 6 that would update and
    extend the Government Information Security Reform Act, as members of
    Congress expressed concern over current legislation.
    Besides permanently reauthorizing GISRA, which is due to expire Nov.  
    29, Davis' Federal Information Security Management Act (FISMA)  
    requires agencies to follow security standards and tools developed by
    the National Institute of Standards and Technology. Under current
    legislation, those standards are simply recommendations.
    "In general, FISMA streamlines GISRA's provisions and requires that
    agencies utilize information security best practices that will ensure
    the integrity, confidentiality and availability of federal information
    systems," Davis testified before the House Government Reform
    Committee's Government Efficiency, Financial Management and
    Intergovernmental Relations Subcommittee.
    Those best practices would include the security assessment
    questionnaire developed by NIST last year. Many agencies are using
    that tool already, and this month NIST will release the first
    automated version of the questionnaire, according to Joan Hash,
    manager of the NIST Computer Security Division's security management
    and guidance group.
    The bill also addresses one of the primary concerns of congressional
    officials: reporting requirements.
    GISRA's primary provision is the annual security assessments that
    every agency chief information officer and inspector general must turn
    in to the Office of Management and Budget. At the hearing, held by
    subcommittee chairman Rep. Stephen Horn (R-Calif.), several officials
    raised concerns about GISRA reporting requirements. Part of the reason
    for the short sunset date on GISRA was to give Congress time to
    examine the bill, which passed at the end of the session in 2000 with
    very little discussion. A number of problems already have become
    apparent, said Rep. Janice Schakowsky (D-Ill.), ranking member on the
    One main problem is the fact that GISRA does not require agencies to
    provide Congress with their entire report, only a summary that goes
    through OMB, she said. OMB released the first of these reports last
    month. The fact that Congress sees only this summary means members did
    not get to see any of the agencies' corrective action plans, leaving
    them in the dark about the status of agencies' security, she said.
    The General Accounting Office is reviewing the implementation of GISRA
    for the subcommittee. GAO officials also are concerned about the lack
    of access to full reports and action plans, because it limits
    Congress' ability to oversee agencies' compliance and hampers
    current-year budget deliberations, said Robert Dacey, director of
    information security issues at GAO.
    Davis' bill addresses this issue by requiring OMB to include in its
    annual report to Congress not only the summary of findings and
    deficiencies, but also "planned remedial actions to address such
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 02:36:53 PST