Davis bill would tighten FISMA regs

House Government Reform Committee chairman Rep. Tom Davis (R-Va.) today introduced legislation to require federal agencies to better protect Americans' sensitive personal information.

Davis' legislation, the Federal Agency Data Breach Protection Act (H.R. 6163)'which could strengthen a bill to improve data security at the Veterans Affairs Department'would require all federal agencies to inform the public about data breaches involving sensitive data.

This legislation amends the Federal Information Security Management Act, which Davis introduced and shepherded to passage in 2002.

"If new policies and procedures are not forthcoming quickly, or if they lack the teeth to get the job done, I will revisit this matter with additional legislation," the congressman said.

Davis' legislation directs the Office of Management and Budget to establish procedures for agencies to follow if personal information is lost or stolen. It also would require that individuals be notified if their personal information could be compromised by a breach of data security at a federal agency.

It would give CIOs the power to ensure that agency personnel comply with information security laws and that costly equipment containing sensitive information is accounted for and secure.

Earlier Davis language became H.R. 5838, the Federal Agency Data Breach Notification Act, which was added to the VA bill, H.R. 5835, the Veterans Identity and Credit Security Act of 2006, and introduced after officials there revealed a laptop computer containing sensitive information about veterans had been stolen from an employee's home in suburban Maryland.

Davis hopes the revised legislation introduced today will be added to the VA bill as well.

Davis asked other federal agencies if they were missing laptops or other potentially compromising information. The Commerce Department revealed it couldn't account for more than 1,100 laptops, some containing census data. Half the missing computers were simply not returned by departing or terminated employees. Some agencies have yet to respond to the committee's query.

Last Friday, Davis responded with a call for a governmentwide policy on public breach notification.

Later that day, OMB issued guidance supporting the recommendations of the White House and its Identity Theft Task Force that agencies establish a core management group responsible for responding to breaches of personal data, including initial risk analysis of the data breach and its scope to determine how it should proceed.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.