House gives urgency to IT security

Along with OMB guidance, agencies under pressure to do more

Laying down the law on IT security

OMB's latest guidance on data breach notification, based on direction from the President's Identity Theft Task Force, recommends that:

  • Agencies establish core management groups responsible for responding to the loss of personal information

  • Core response groups perform risk analysis in the event of a breach to determine potential for identity theft

  • Agency response should be based on the level of risk for identity theft, such as advising those potentially affected, providing credit services and public notice.

Major provisions of HR 6163, the Federal Agency Data Breach Protection Act, passed by the House:
  • Directs OMB to establish data breach policies and procedures

  • Gives CIOs enforcement authority, when an agency head delegates it, over data breach policies and inventory of IT containing personal data

  • Requires that individuals be notified if their personal information could be compromised by a data breach at a federal agency

  • Requires that the agency's chief human capital officer perform an accounting of federal property assigned to employees who are leaving

  • Defines sensitive personal information as any information about the individual held by the agency.

Rep. Tom Davis was expected to release information about agencies' past data breaches.

Rick Steele

The Office of Management and Budget and Congress are increasing the pressure on agencies to tighten IT security. Executive branch officials and lawmakers are working on separate but parallel paths to harden data security in agencies, with OMB cajoling agencies to adopt certain policies, and Congress moving to make them law.

A sense of urgency over seemingly endless data leaks drove the House recently to pass legislation that tightens requirements under the Federal Information Security Management Act for all agencies. Additionally, Rep. Tom Davis (R-Va.), sponsor of the bill, was expected to release more information about agencies' past data breaches. Sources called the information potentially 'astounding.'

Davis was expected to issue the report after press time.

Davis packaged his bill, HR 6163, the Federal Agency Data Breach Protection Act, in another piece of legislation aimed at shoring up data security at the Veterans Affairs Department, the Veterans Identity and Credit Security Act, HR 5835. The Senate must now vote on the bill.

OMB officials said they view the House bill as helping agencies meet FISMA's standards for security requirements.

'We support efforts that strengthen this important tool,' said an OMB spokeswoman.

Appalled at the flood of data breaches, most spectacularly the incident in which a VA employee lost data on millions of veterans, Davis sought from agencies summaries of data breaches that occurred over the past three years. In one case, the Commerce Department revealed that it couldn't account for 1,100 notebook PCs, including some containing personal Census Bureau data, because it did not track inventory.

The deluge of data breaches caused swift action in both the executive and legislative branches (see chart). But while OMB, which has come out with several guidance documents since June, is pushing policy and best practices, congressional officials said their bills carry more weight.

'Davis' bill has far more teeth than OMB's guidance to date,' said Dave Marin, spokesman for the House Government Reform Committee, which Davis chairs.

The bill requires agencies to adhere to IT security improvements, such as timely notice to individuals whose sensitive information may be compromised, centralizing data security enforcement under the CIO when authorized and ensuring that hardware containing personal information is maintained and accounted for, he said.

'Until now, there was no requirement that people be notified if their information is compromised,' Marin said.

Despite the compelling need for congressional response, it is uncertain whether the Senate will pass a version of the VA IT security bill, with or without Davis' FISMA language, Marin said.

Davis has made it clear that if the Senate does not take up the VA IT security bill, he plans to move his legislation as a standalone bill in November.

'If new policies and procedures are not forthcoming quickly, or if they lack teeth to get the job done, I will revisit this matter with additional legislation,' Davis said.

House Veterans' Affairs chairman Steve Buyer (R-Ind.), who shepherded the VA IT security bill, has spoken with Senate Veterans' Affairs chairman Larry Craig (R-Idaho), said Jeff Schrade, a Senate committee spokesman.

Staff members from the House and Senate committees are meeting over whether they can modify language in the House bill enough to proceed with the bill in the Senate.

'Whether a compromise can be reached, however, is difficult to say at this time,' Schrade said.

Sen. Susan Collins (R-Maine), chairwoman of the Homeland Security and Governmental Affairs Committee, is reviewing the Davis bill, a committee spokeswoman said.

Security expert Alan Paller, research director of the SANS Institute in Bethesda, Md., even told Davis a few months ago that his legislation should be tougher and extend to contractors.

Centralized IT security enforcement is valuable as long as agencies use procurement to get contractors to deliver safer systems, he said.

'Otherwise it [enforcement] is ineffective. Using federal procurement to fix security is the only way out of the maze,' Paller said.

He urged legislation that no federal IT contract be let unless it includes specific language requiring the contractor to take responsibility for ensuring that the systems are:
  • Delivered securely, with all unnecessary services turned off, all patches current, all configurations mapped to National Security Agency or Center for Internet Security Standards benchmarks

  • Maintained securely through, at a minimum, 24- to 48-hour patching
  • Protected by agreements in which the vendor takes responsibility for cleaning up after any hacking incidents.

Following guidelines

Meanwhile, OMB will continue to work with agency inspectors general to ensure that agencies follow its guidelines to properly safeguard sensitive data, the OMB spokeswoman said.

OMB's Identity Theft Task Force recently outlined steps agencies should take in responding to an identity theft and ways to prevent one from happening. These include identifying a 'core management group responsible for responding to the loss of personal information. ...'

President Bush created the Identity Theft Task Force through an executive order issued in May. Attorney general Alberto Gonzales and Deborah Platt Majoras, chairwoman of the Federal Trade Commission, led the task force.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above