Editor's Desk | FISMA 2.0: A good start

Wyatt Kash

GCN

A SENATE BILL aimed at strengthening federal information technology security won an important vote of approval by the Senate Homeland Security and Governmental Affairs Committee late last month.

S. 3474, sponsored by Sen. Tom Carper (D-Del.), would institute a number of important improvements to the Federal Information Security Management Act, the law that governs many aspects of how federal agencies protect and certify their nonclassified IT systems.

[IMGCAP(1)]Unfortunately, this bill, like many others, will most likely have to wait for a new Congress. A separate bill, S. 2321, to reauthorize the E-Government Act of 2002 appears to be facing a similar fate. Nevertheless, let's hope the work and momentum that went into FISMA 2.0 isn't lost in the next legislative session.

Carper's bill addresses a number of shortcomings in the existing law. Most notably, it deals with rules that tend to channel more resources toward meeting compliance rules than toward implementing proven IT security measures.

First, the bill would require the heads of federal agencies to designate a chief information security officer. More importantly, the CISO would have the authority to disconnect systems that fail to meet essential security practices. That will probably set off a few rebellions from users who traditionally have prevailed in keeping systems in operation, arguing that mission must come before IT security. But vulnerable IT systems represent a serious form of jeopardy; at least under this legislation, the CISO would have clout when agencies weigh competing risks.

Second, the legislation wisely provides that the CISO would report to the agency's chief information officer ' and that an individual may not serve as the CIO and the CISO at the same time. An earlier draft didn't specify the chain of command, leaving in question who would bear ultimate responsibility for IT security ' and the prospect of decision-making whirlpools.

Third, the bill would require that CISOs establish the means to continuously detect, monitor, correlate and analyze the security of any information system connected to the agency's information infrastructure. It's not that agencies don't believe that should be done. But under current FISMA rules, taking such obvious measures doesn't earn any points compared to other must-do FISMA tasks.

Fourth, the bill would demand stronger procurement and contracting provisions, making contractors more responsible for ensuring the federal IT systems they run or support adhere to rigorous security practices.

There are still a number of other federal IT security measures requiring attention. But Carper's FISMA 2.0 bill is a good place to start.

About the Author

Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.

Reader Comments

Thu, Jul 16, 2009 rybolov Washington, DC

Hi Wyatt, You've been reading the press releases too much on this bill. If the problem right now is with the costs of demonstrating compliance and you add more provisions to the existing security compliance framework, what you've really done is increased the audit burden with no real net increase in security--ie, you've made the compliance costs worse. In fact, all you've done is to take one law and replace it with another. Nobody has addressed the root cause of the problem which is that we have a shortage of skilled information security staff in the DC area. If you really want to fix the problem, that's where we need to put our efforts, not in whitewashing the legal framework.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above