[ISN] OMB does not support bill to update FISMA

From: InfoSec News (alerts@private)
Date: Fri Feb 15 2008 - 00:08:52 PST


http://www.fcw.com/online/news/151642-1.html

By Jason Miller
FCW.com
February 14, 2008

The Bush administration doesn't support legislation introduced late last 
year that would modify the Federal Information Security Management Act, 
an administration official testified today.

The bill, sponsored by Reps. William Clay (D-Mo.), Henry Waxman 
(D-Calif.) and Edolphus Towns (D-N.Y.), would require agencies to 
develop policies and plans to identify and protect personal information 
and to develop requirements for reporting data breaches.

Karen Evans, the Office of Management and Budgets administrator for 
e-government and information technology, told House members that current 
activities being undertaken by agencies are closing the performance gaps 
and the legislation could cause agencies some unplanned problems.

We want to make sure the changes are improving security, Evans said 
after a hearing before the House Oversight and Government Reform 
Subcommittee on Information Policy, Census and the National Archives and 
the subcommittee on Government Management, Organization and Procurement. 
We have the same goals, but need to work out the details.

Evans testified that the foundation of FISMA is sound, and the bill 
could produce some unintended consequences that would seriously impact 
established agency security and privacy practices while not necessarily 
achieving the outcomes of improved privacy and security.

The measure follows OMBs 06-16 memo from June 2006 that requires 
agencies to encrypt personal data using standards that would make the 
information unusable by unauthorized persons. The legislation also would 
mandate that agencies establish minimum requirements regarding the 
protection of information maintained or transmitted by mobile digital 
devices.

The bill also would require agencies to report data breaches in a timely 
manner to OMB and the Homeland Security Departments U.S. Computer 
Emergency Response Center, and it also addresses security for 
peer-to-peer networks.

Clay said at the hearing that although some real progress has been made 
under FISMA, he is concerned whether the current requirements and OMB 
policies are enough to protect agencies from the onslaught of attacks.

The bill would move us toward more rigid security requirements while 
staying within the FISMA framework, he said.

Over the last five years, FISMA has been widely criticized because some 
agencies are merely complying with its requirements and not actually 
improving network security. Although this criticism as waned recently, 
many say improvements to FISMA are necessary.

The key change we need is to prioritize actions in FISMA, said Alan 
Paller, director of research for the Sans Institute. Agencies need to do 
what is most important first. Industry finds out where the attacks are 
coming from and fixes that area first and then worries about the rest.

Greg Wilshusen, the Government Accountability Offices director of 
information security issues, said that despite agencies' efforts to 
implement better IT security through FISMA, 20 of 24 major departments 
had inadequate information security controls that were either 
significantly deficient or had a material weakness.

Tim Bennett, president of the Cyber Security Industry Alliance, said 
that while FISMA has led to some success, his group would like to see 
eight changes through the Clays bill. Some of these include giving chief 
information officers and chief information security officers the 
authority they need to direct budget and personnel needs. He called for 
continuous monitoring and assessments, improved performance measurement 
and incentives so agencies make information security a higher priority.

Rep. Tom Davis (R-Va.), author of FISMA, said the government must be 
more proactive instead of reactive with the goal of security, not 
compliance.

I think we can make FISMA better, he said. I hope we can agree on the 
right language.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Feb 15 2008 - 00:15:04 PST