Davis, Putnam ratcheting up IT security oversight
- By Jason Miller
- Jan 28, 2004
Two key lawmakers are pressing agencies to correct longstanding IT security problems.
Tom Davis, chairman of the House Government Reform Committee, yesterday said his committee will hold a hearing this spring on at least two contracts that failed to take the Federal Information Security Management Act into account. The Virginia Republican, who authored the IT security bill last year, said agencies too often are neglecting the guidelines.
And Adam Putnam, chairman of the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, said he sent a letter to agency secretaries today requesting a meeting with their CIOs to discuss their IT security action plans. The Florida Republican said the letters are part of an effort to increase awareness of agency IT security problems.
Last December, Putnam issued an IT security report card and found the government's overall grade to be a 'D.' (Click for Dec. 15, 2003, GCN story)
'We want to put down a marker and take the issue to the highest levels to make sure the director of the agency knows Congress is following this issue,' Putnam said. 'The big thing is to make sure agencies think through what they did well and what they didn't do so well to earn their grade.'
Davis and Putnam were keynote speakers at a conference on FISMA sponsored by ICG Government of Reston, Va., and the Potomac Forum Ltd. of Potomac, Md.
Both legislators said agencies are on the right track toward improving IT security, but it needs to happen faster.
'We need to do a better job of educating agency managers about IT security,' Davis said. 'This is more serious than the year 2000 problem because a penetration could be life threatening.'
Putnam said he was most concerned that only five agencies'as of the subcommittee's December report card'had finished their IT inventories in the four years since FISMA's predecessor, the Government Information Security Reform Act, was passed in 2000.
'How can you secure something if you don't know what you have?' Putnam asked the audience. 'Poor inventory control has built up over the last decade and we have to change that.'
Putnam said his staff already has met with six CIOs and will meet with the CIO Council in March to discuss agency IT security plans, milestones and his subcommittee's expectations. He added his staff also will meet with the appropriations committee staff members to discuss the importance of funding IT security.
'We've had some very positive discussions with the CIOs so far,' Putnam said. 'They are being very aggressive in responding to the charge of improving their IT security.'
Some agency security employees criticized the report card because it didn't give agencies credit for work being done. One fed said agencies have more security now than ever before, but the report card looks at security as an all-or-nothing issue.
When told of the criticism, Putnam said the subcommittee would listen to agency issues and consider whether scorecard adjustments are necessary. But he also said there are enough examples of agencies who have dramatically improved their IT security that there are no excuses for departments not showing marked improvements each year. Putnam said the Labor Department, the National Science Foundation and the Nuclear Regulatory Commission are the best examples.