Legislation addresses concerns that FISMA compliance had become a paperwork drill without ensuring improved IT security.
The Senate Homeland Security and Government Affairs Committee yesterday approved a Senate bill that would update the Federal Information Security Management Act.
S. 3474, The FISMA Act of 2008, was introduced Sept. 11 by Sen. Tom Carper (D-Del.) to address concerns that FISMA compliance had become a paperwork drill without ensuring improved IT security. The bill would require annual security audits by agencies and would give chief information security officers broader authority to enforce FISMA requirements.
FISMA is the primary law governing federal IT security, requiring risk-based security controls for non-national-security information systems and the certification and accreditation of systems. Carper's bill would focus on ensuring that controls provide adequate security, replacing current FISMA evaluations with formal annual audits and requiring the appointment of chief information security officers in each civilian agency with authority to enforce FISMA compliance. The bill also would establish a CISO Council directed by the National Cyber Security Center and require the Homeland Security Department to conduct regular red team penetration tests against networks.
Adequate IT security also would be required on all contractor networks, and the Office of Management and Budget would establish contract language on IT security reflecting these requirements.
A second IT bill Carper introduced also was passed out of committee yesterday. S.3384, the IT Investment Oversight and Waste Prevention Act of 2008, was introduced in July to improve the planning and management of IT system investments. The bill would:
- Require quarterly reporting to CIOs on project cost, schedule and performance, and notification to Congress of significant problems.
- Require annual reports to Congress on each agency's most critical and high-risk projects, with an independent cost estimate and changes to original plans.
- Make it easier for agencies to terminate a project if costs are out of control.
- Require OMB to assemble an IT trouble-shooting team to work with agencies on troubled projects before they get out of control.
NEXT STORY: Citrix NetScaler package certified