Putnam pens security reg for Clinger-Cohen
- By Jason Miller
- Apr 15, 2004
Rep. Adam Putnam will soon release the first amendment of several possible refinements he has planned for Clinger-Cohen.
J. Adam Fenster
On top of the IT management and procurement rules agencies must follow under the Clinger-Cohen Act, an upcoming amendment to the 1996 law would add security requirements.
The amendment, to be sponsored by Rep. Adam Putnam (R-Fla.), would require agencies to include cybersecurity in the planning and acquisition phases of systems development.
As chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Putnam has spent the last year scrutinizing agencies' IT security policies and programs. Putnam has said repeatedly that he finds them wanting.
'We're going to amend Clinger-Cohen to explicitly identify security as a component of the capital planning and investment control processes,' said Bob Dix, the subcommittee's staff director, noting that the need for security planning is implied in the current version of the law.
Putnam said he has received support for the measure from other lawmakers, and he plans to introduce the amendment within the next few weeks.
When Congress drafted the bill, it mentioned that systems needed adequate security. Agencies can surmise that they are required to incorporate security into planning and acquisition processes, but the language is unclear, said Alan Paller, director of research for the SANS Institute of Bethesda, Md.
'When Clinger-Cohen was written, it was 18 months before the first federal Web hacking,' Paller said. 'The direct threat wasn't perceived.'
Paul Brubaker, a former Defense Department deputy CIO and also a former Capitol Hill staff member who helped draft the law, said Clinger-Cohen's authors wanted it to evolve over time.
'Now is the appropriate time to look at the security provisions and tighten them up,' said Brubaker, chief marketing officer for SI International Inc. of Reston, Va. 'At the time, we were just beginning to understand the whole security issue. It wasn't thought of as a business problem. But now it clearly is a business problem.'
Mark Forman, former Office of Management and Budget administrator for e-government and IT, said defining the importance of IT security in a law will make it easier for OMB to do its enforcement job.
'We handled it by regulation in OMB Circular A-11,' said Forman, who also helped write Clinger-Cohen. 'The administration's policy is that security must be a part of the business case or the project will not get funded. But for something as core as security, it needs to be in statute so agencies know what the expectations are.'
The planning and acquisition process is just one tool to enforce security, he said. Security should be specifically mentioned in other sections of Clinger-Cohen, too, he said. Forman pointed to the language about enterprise architectures, workforce training and CIO responsibilities.
'There are too many IT security professionals who are not in the mainstream of IT management,' Forman said. 'If Clinger-Cohen says the CIO is responsible for security, it would solve that problem and affect billions of dollars of spending.'
Paller would like to see agencies adopt a model similar to that of Citigroup of New York. For any new system, project managers must get a building permit to show the security office has approved the design and an occupancy permit to show the project team executed the design correctly.
'Building security into the architecture and design is such an important issue,' Paller said. 'Not doing that is the single biggest mistake agencies make with a new system.'
Forman added that new language should reflect technology advances that have changed the way the government does business.
'All current IT innovations revolve around Web services and services-oriented architectures,' he said. 'Agencies are using network and Internet computing models. The technology components of Clinger-Cohen are nine years out of date.'
Dix said the security component is only the starting point for an update of the law. 'We want to build a foundation and start with security to bring the legislation up to date in the current climate,' he said.