A SENATE BILL aimed at strengthening federal information technology security won an important vote of approval by the Senate Homeland Security and Governmental Affairs Committee late last month.
S. 3474, sponsored by Sen. Tom Carper (D-Del.), would institute a number of important improvements to the Federal Information Security Management Act, the law that governs many aspects of how federal agencies protect and certify their nonclassified IT systems.
Unfortunately, this bill, like many others, will most likely have to wait for a new Congress. A separate bill, S. 2321, to reauthorize the E-Government Act of 2002 appears to be facing a similar fate. Nevertheless, let’s hope the work and momentum that went into FISMA 2.0 isn’t lost in the next legislative session.
Carper’s bill addresses a number of shortcomings in the existing law. Most notably, it deals with rules that tend to channel more resources toward meeting compliance rules than toward implementing proven IT security measures.
First, the bill would require the heads of federal agencies to designate a chief information security officer. More importantly, the CISO would have the authority to disconnect systems that fail to meet essential security practices. That will probably set off a few rebellions from users who traditionally have prevailed in keeping systems in operation, arguing that mission must come before IT security. But vulnerable IT systems represent a serious form of jeopardy; at least under this legislation, the CISO would have clout when agencies weigh competing risks.
Second, the legislation wisely provides that the CISO would report to the agency’s chief information officer — and that an individual may not serve as the CIO and the CISO at the same time. An earlier draft didn’t specify the chain of command, leaving in question who would bear ultimate responsibility for IT security — and the prospect of decision-making whirlpools.
Third, the bill would require that CISOs establish the means to continuously detect, monitor, correlate and analyze the security of any information system connected to the agency’s information infrastructure. It’s not that agencies don’t believe that should be done. But under current FISMA rules, taking such obvious measures doesn’t earn any points compared to other must-do FISMA tasks.
Fourth, the bill would demand stronger procurement and contracting provisions, making contractors more responsible for ensuring the federal IT systems they run or support adhere to rigorous security practices.
There are still a number of other federal IT security measures requiring attention. But Carper’s FISMA 2.0 bill is a good place to start.