Make GISRA permanent, House panel tells Congress
Rep. Steve Horn, who is retiring this term, has called for Congress to strengthen GISRA.
Strengthening the Government Information Security Reform Act is essential for effective oversight, a House report concluded last month.
The House Government Reform Subcommittee on Government Management, Information and Technology, chaired by Rep. Steve Horn (R.-Calif.), recommended that Congress make the act permanent instead of letting it expire Nov. 29.
Horn, who is retiring after this term, will issue his third and final cybersecurity report card soon. Last November the government got an overall F in the second report card, and 17 of 25 agencies also failed.
Every study cited in last month's report'from reviews by the General Accounting Office, the Office of Management and Budget and agencies' inspectors general'found pervasive IT security weaknesses.
The subcommittee report said agencies:
- Are not conducting periodic risk assessments
- Have failed to identify critical systems
- Have inadequate security controls
- Rely on flawed commercial software
- Have not built IT security into capital planning.
The report also said Congress lacks access to the information it needs to oversee these issues. Although OMB makes an annual GISRA summary report to Congress, the information is neither complete nor timely, the report said. Congressional review of fiscal 2003 budget proposals also failed to reveal whether agencies were on track to correct long-standing problems.
'There was such a wide disparity in the level of information reported that no determination could be made,' the report said.
The Energy, Justice, Labor and Treasury departments proposed in their budgets to correct most if not all of their weaknesses, but other budget proposals did not include the required information.
GISRA requires agencies to incorporate security into their IT programs and to regularly evaluate their systems security. OMB has authority to oversee the act.
A number of bills now before the lame-duck session of Congress include provisions to extend the act or make it permanent.
The report also recommended tying agency funds more closely to effective computer security.
Although OMB has said it will not fund IT projects that lack adequate security provisions, Congress may have to step into the process, the report said, by redirecting a percentage of appropriated funds 'toward correcting significant security weaknesses.'