FISMA reform rides on defense spending's coattails

Passage aims for federal cybersecurity improvement through wholesale restructuring

The House has passed measures under the 2011 Defense Authorization spending bill to upgrade federal cybersecurity by improving the eight-year-old Federal Information Security Management Act (FISMA).

The cybersecurity-oriented amendment passed May 28 also pursues several other ways to streamline compliance and effective security.

Provisions that support FISMA reform include establishing a White House director for cyberspace and a federal cybersecurity practice board, both of which would help develop, update and implement federal cybersecurity guidelines and measures. That office and oversight board would also administer FISMA requirements and compliance, and be responsible for cybersecurity budgets and governmentwide coordination.

Although the White House cybersecurity office would have the authority to review civilian agencies’ information technology security budgets, it would be able only to make recommendations and could not issue orders. Also, the Defense Department and Central Intelligence Agency would be exempt from the White House office’s oversight.

Congressional moves to beef up federal cybersecurity come after years of complaints that FISMA’s goal of improving government network security is overshadowed by its paperwork-laden, procedural requirements.

In testimony in April on Capitol Hill, federal Chief Information Officer Vivek Kundra acknowledged that FISMA has lagged in truly improving federal IT security. “The FISMA measures reported on annually have led agencies to focus on compliance. However, we will never get to security through compliance alone,” he said.

Howard Schmidt, White House cybersecurity coordinator, said, “You can be compliant with FISMA but still not secure.” Schmidt added that he is working with Kundra and Office of Management and Budget Director Peter Orszag to make improvements. “We’re looking at turning that around so when you become secure, you become compliant,” Schmidt said at the U.S. Strategic Command Cyber Symposium in Omaha on May 28.

Reforming FISMA is just one of several parts of the defense spending bill amendment targeting security of government information systems.

Under the amendment, federal agencies would be required to start programs that continuously and automatically monitor their computer networks for cyber threats, and agencies would need to obtain annual, independent audits of in-house information security programs.

Government IT contractors and subcontractors would also face independent audits, and their contracts would include cybersecurity standards at inception. Those standards would be developed by the White House cybersecurity director’s office in conjunction with the National Institutes of Standards of Technology and the General Services Administration.

The amendment also calls for a White House office for the government’s chief technology officer.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

inside gcn

  • open doors to cloud (Sergey Nivens/Shutterstock.com)

    New vendors join FedRAMP Connect

Reader Comments

Wed, Jun 2, 2010

Instead of drill, baby, drill, now they say spend, baby, spend!!!

Tue, Jun 1, 2010 badgeswapper

While this may not be especially good news for contractors with heavy investments in C&A capabilities, these changes along with a focus on more real-time active monitoring are finally a move in the right direction. -------------------------- www.badgeswapper.com - the forum for Federal contractors

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group