Davis proposes changes to FISMA reporting
- By Jason Miller
- Jul 20, 2006
Rep. Tom Davis yesterday introduced legislation that would institute stricter requirements in how federal agencies report data breaches.
The Virginia Republican and chairman of the Government Reform Committee submitted legislation, along with Reps. Stephen Buyer (R-Ind.) and Deborah Pryce (R-Ohio), that would require the Office of Management and Budget to "establish policies, procedures and standards for agencies to follow" in the event of a data breach involving personal information.
The legislation also includes a provision calling for the agency CIO to enforce data breach policies and defines sensitive personal information as any information contained in a record. The U.S. Code defines a record as: "any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history, and that contains his name or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. "
"We have seen too many recent examples when sensitive data has been lost or stolen, and agencies have moved too slowly to acknowledge the problem and take steps to limit the potential damage," Davis said in a statement.
The bill follows an OMB memo
issued last week detailing the steps agencies must take to report data breaches. The bill takes OMB's memo one step further with its CIO provision.
Davis' bill also comes as the House Veterans' Affairs Committee, of which Buyer is chairman, is marking up legislation
today that was drafted in cooperation with the Government Reform committee to accelerate improvements in information security at the Veterans Affairs Department.
The Veterans Identity and Credit Protection Act would require prompt notification of data breaches, centralize IT management including enforcement, and define responsibilities within VA for the regular reporting of its adherence to federal information security standards.
"I am pleased to have worked with chairman Davis, and appreciate his leadership in making these key changes to FISMA, which should help federal agencies more effectively manage information security,' Buyer said.
There is no Senate companion bill, said Government Reform Committee spokesman Robert White.
White also added that the FISMA bill would complement other data breach legislation that deals with private-sector breach notification and enforcement.