House subcommittee pushes for speed on improving IT security
- By William Jackson
- Jun 24, 2003
Expressing what Rep. Adam Putnam called 'bipartisan frustration' at the slow pace of improvement, a House subcommittee grilled agency officials today about federal IT security.
The Florida Republican's House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census questioned inspectors general and CIOs about the results of the Government Information Security Reform Act.
The mantra from executive branch and oversight agencies was that progress has been made in the past year, but that significant weaknesses remain. Mark A. Forman, the Office of Management and Budget's administrator for e-government and IT, argued for patience.
'The challenge is that there is a lot of work, and it takes time,' Forman said.
But the lawmakers seemed to be just about out of patience.
'There is very little indication that anyone takes the threat seriously,' Putnam said at the close of the hearing.
Witnesses said that although progress is being made, the necessary focus on security is a new phenomenon at their agencies. Commerce Department IG Johnnie E. Frazier said his department had to overcome a history of neglect.
'Before GISRA, IT security was simply not on the radar screen,' he said.
Bruce Morrison, CIO at the State Department, which has been identified as one of the worst performers in the IT security arena, said the issue now has 'the highest level of attention from secretary Colin Powell.' But he added, 'we are still at the early stages of creating a comprehensive cybersecurity plan.'
Subcommittee members pressed witnesses about whether adequate resources were available for agencies to make significant and rapid improvements in the discovery, evaluation and securing of systems required under GISRA and now the Federal Information Security Management Act.
'I think we're fine with resources,' Forman said.
But other witnesses complained that they were stretched thin in meeting GISRA and FISMA mandates. Frazier said four full-time employees were doing independent evaluations for the mandated systems security assessments. 'Our resources are very limited,' he said.
Both Frazier and Agriculture Department CIO Scott Chabro acknowledged that lack of time and money probably have resulted in incomplete and inaccurate reports being submitted as required by the two laws.
One of the problems focused on by the subcommittee was the difficulty of retaining CIOs, who are responsible for implementing many FISMA requirements. The three CIOs testifying before the subcommittee all have been in their positions for less than a year. Treasury Department CIO Drew Ladner has been on the job since March.
'We're looking at that as part of the skills gap assessment,' Forman said. 'Traditionally, the issues that have come up are money related.'
Stress is also an issue.
'We're trying to drive an awful lot of transformation through the agencies, and these have become some of the most stressful jobs,' he said. 'I'm not sure how you keep people from burning out.'
William Jackson is a Maryland-based freelance writer.