Cybereye | The price of security
AN UPDATE of the Federal Information Security Management Act introduced in the Senate attempts to add a few teeth to the primary law governing information technology security. FISMA 2008, S. 3474, would require annual security audits and would give chief information security officers broader authority to enforce requirements.
'Our security management legislation will hold federal agencies accountable for their ability to monitor, detect and respond to cybersecurity incidents,' Sen. Tom Carper (D-Del.) said in introducing the legislation.
[IMGCAP(1)]Carper, chairman of the Homeland Security and Governmental Affairs Committee's Federal Financial Management, Government Information, Federal Services and International Security Subcommittee, complained that the original FISMA has become a paperwork exercise. He wants to add some specificity and accountability to the existing law.
The bill was introduced Sept. 11 and referred to the Homeland Security and Governmental Affairs Committee. The odds of its seeing much action in the remaining weeks of this session's legislative calendar probably are slim, given the distractions of presidential and congressional elections and the meltdown of the financial services industry. But some reworking of FISMA eventually will happen.
A strong point of Carper's bill is its brevity. It is not a major rewrite of FISMA and does not change the basic requirements for risk-based security controls and the certification and accreditation of systems. It focuses instead on ensuring that those controls provide adequate security. The current FISMA evaluations would be replaced with more formal audits.
It also would require each civilian agency to appoint a CISO who would report to the chief information officer. The CISO would have authority to enforce FISMA compliance. The bill would create a CISO council as the principal interagency forum for best practices. The Homeland Security Department would be given general oversight of IT security and would conduct penetration testing against agencies' networks.
FISMA requirements would not stop with the .gov domain. They would extend to networks of contractors at every tier, and the Office of Management and Budget would establish IT security language reflecting this in all contracts.
These all are sensible goals, but the key to the legislation is a sentence stating that the 'chief information security officer for an agency shall have the mission, budget, resources and authority necessary' to carry out his duties.
The issue of budget and resources has long been the stumbling block with FISMA. A lack of resources often has been the reason agencies have focused on FISMA compliance ' the paperwork part ' and why compliance has been slow to translate into improved security.
The best thing Congress can do here is to take the issue of funding seriously. This will not be easy, especially with everyone fresh from voting on a $700 billion financial bailout. But if lawmakers are serious about security, they will have to be serious about providing resources.