[ISN] Computer security law may come under Hill scrutiny

From: InfoSec News (alerts@private)
Date: Tue Jun 19 2007 - 22:11:07 PDT


http://www.govexec.com/story_page.cfm?articleid=37243

By Daniel Pulliam  
govexec.com  
June 19, 2007  

The federal law governing information security policies at agencies 
could come under scrutiny during a House subcommittee hearing Wednesday 
that will focus on cybersecurity incidents at the Homeland Security 
Department.

The House Homeland Security Subcommittee on Emerging Threats, 
Cybersecurity and Science and Technology is scheduled to hear testimony 
from DHS Chief Information Officer Scott Charbo and the Government 
Accountability Office. While the hearing will focus on DHS, industry and 
congressional sources have indicated that a broader discussion of the 
2002 Federal Information Security Management Act is likely to arise.

Despite its status as the nation's security agency, DHS has not been a 
model of computer security law compliance. In April, the department 
received a D grade [1] on an annual congressional report card measuring 
how well agencies follow FISMA. The department flunked the previous 
year.

In a statement Tuesday, Rep. Bennie Thompson, D-Miss., chairman of the 
Homeland Security Committee, said Congress has "to turn FISMA away from 
a paper exercise." He said that optimal security policies would require 
agencies to monitor networks, test penetration, complete forensic 
analyses and mitigate vulnerabilities.

"Though FISMA brought much needed attention to federal information 
security, agencies can still receive high grades for compliance and be 
insecure," Thompson said. "Implementing those efforts will mean better 
security on our networks, and that's the next step the federal 
government needs to take."

Thompson is expected to attend the hearing and give an opening 
statement.

In April, Donald Reid, senior coordinator for security infrastructure at 
the State Department's Bureau of Diplomatic Security, told the 
subcommittee [2] that FISMA does not "tell the whole story" when it 
comes to agencies' information security practices.

"Our ability to detect and respond to intrusions . . . nowhere is that 
measured in FISMA," Reid said. "It's a great baseline log, but we 
clearly have more work to do."

Another criticism of FISMA is that compliance is measured based on 
reports produced by agencies, rather than independent auditors. Such a 
setup does little to hold agencies accountable for instituting proper 
security, according to critics.

Rep. Tom Davis, R-Va., who issues the annual report card on FISMA 
compliance and serves on the Homeland Security Committee, said in a 
statement that he expects Wednesday's hearing to involve "the usual 
suspects with complaints: failing agencies, those who misunderstand what 
the act was designed to do and those who fail to recognize what it has 
accomplished" in making IT security a priority at federal agencies.

"Certainly, we want to avoid a 'check the box' mentality," Davis said. 
"We need to incentivize strong information protection policies and 
pursue a goal of security rather than compliance. The FISMA process is a 
good one, but we'll always ask if we can make it better."

Davis said additional work is needed in developing effective security 
plans and establishing milestones to measure implementation progress.

"More improvement is needed in how systems are configured from a 
security standpoint and for training for employees with significant 
information security responsibilities," Davis said. "We continue to meet 
with public and private stakeholders searching for other ideas for what 
might be most effective."

Wednesday's hearing is expected to focus on questions stemming from 
specific incidents on DHS networks such as hacking, classified leaks, 
unauthorized use by contractors and computer viruses.

GAO has been asked to describe findings on an unnamed DHS network that 
is "riddled with significant information security control weaknesses 
that place sensitive and personally identifiable information at 
increased risk of unauthorized disclosure," according to a hearing 
briefing document [3].

The department's efforts to consolidate its computer networks under one 
roof also are likely to enter into the discussion, as are questions 
about "the lack of IT security funding" at DHS, the document indicates.

The committee sent Charbo letters on April 30 and May 31 that indicate 
the panel already has taken up its own investigation of the department's 
IT security, asking more than 25 questions over the course of two months 
about the status of the department's network security.

[1] http://govexec.com/dailyfed/0407/041207p1.htm
[2] http://govexec.com/dailyfed/0407/042007p1.htm
[3] http://www.govexec.com/pdfs/Onepageron620hearing.doc


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 19 2007 - 22:23:33 PDT