Panel: Proposed IT security bill needs revisions
- By Jason Miller
- May 02, 2002
Support for the Federal Information Security Management Act of 2002, which would replace the Government Information Security Reform Act of 2001, was lukewarm at best today at joint hearing before two House Government Reform subcommittees.
Eight panel members'mostly from government'testified before the subcommittees on Government Efficiency, Financial Management and Intergovernmental Relations, and Technology and Procurement Policy. Many said the legislation, sponsored by Rep. Tom Davis (R-Va.), chairman of the Technology and Procurement Policy subcommittee, needed to be revised in a number of areas but overall maintained an important focus on IT security.
'FISMA is sound and will help,' said Ron Miller, CIO of the Federal Emergency Management Agency. 'There are a number of areas in which, from the information security technologist's point of view, the bill needs improvement.'
FISMA would require agencies to use security best practices and would give the National Institute of Standards and Technology a bigger role in developing and maintaining security standards and controls. GISRA is scheduled to expire Nov. 29, so putting a new bill in place has become a priority for the subcommittees.
'The bottom line is that we are still too vulnerable,' Davis said. 'We need to focus on developing strong, risk-based, agencywide security management programs that cover all operations and assets of federal agencies.'
Miller said the bill needs to stress a stronger link between security requirements and capital planning and provide resources for training, retention of IT employees and support for day-to-day efforts.
Mark Forman, the Office of Management and Budget's associate director for IT and e-government, said the administration still is developing a position on the bill but offered some hints on what lawmakers should avoid.
'We must be careful and resist overly simplistic attempts to standardize management and operational and technical security controls in a nonstandardized world,' he said. 'Thus, security controls must be built to specifications of the program, not vice versa.'
Forman said the administration would at least like to see GISRA reauthorized, which is a provision of the e-government bill submitted by Sen. Joseph I. Lieberman (D-Conn.).
Davis hopes to get his bill marked up by the full committee in the next two weeks, said David Marin, a spokesman for the legislator.