A bill that would amend the Federal Information Security Management Act (FISMA) could pass during the next session of Congress, and chief information security officers are wondering what more FISMA requirements might mean for them.
Legislation to amend the current FISMA requirements cleared the Senate Homeland Security and Governmental Affairs Committee earlier this year.
The bill would change how agencies’ information security practices are evaluated and would redefine the role of the CISO.
CISOs participating in a panel discussion at a Government Technology Research Alliance conference today in Hershey, Pa., said changes under the bill include:
- Requiring an annual independent audit rather than an annual evaluation.
- Increasing CISOs’ responsibilities.
- Requiring operational evaluations.
- Establishing a CISO council.
- Mandating standard governmentwide contract language.
- Requiring the Homeland Security Department to present an annual report to Congress.
The CISOs said one provision with potential difficulties would require them to direct and manage information technology security programs and functions in all subordinate agency organizations, including components, bureaus and offices.
“At a large department, I don’t see how that would be effective or doable,” said Richard Prentiss, CISO at the Treasury Department’s Office of Thrift Supervision.
He said different components’ networks in his department have different security rules, and it would be difficult to tell all component agencies how to handle subordinate network security.
He added that component agencies “do it differently. The outcome is the same, but we do it based upon the efficiencies that we have within our organization.”
Marian Cody, CISO at the Environmental Protection Agency, said the legislative language that would define the CISO’s authority over component offices needs clarifying. Cody said a provision that would give the CISO authority to block an agency’s information system from accessing the network if the system has been compromised or doesn’t meet security policies — essentially disconnecting a system — would be difficult to implement.
“At least at EPA, this really goes against the culture of the agency. This is big time,” she said. “There’s going to be lots of discussion around this and what this means and how to scope this appropriately to meet the agency’s culture and willingness to cooperate.”
The panel also discussed the bill’s requirements for a series of additional evaluations, and requirements that annual evaluations of agencies’ information security be audits.
“The theme of this entire act is audit, audit, audit and then audit some more,” Cody said. The bill “actually turns the CISO…into an auditor, and at EPA, what we’ve tried to do is exactly not that.… So we really don’t want to become yet another auditor.”
Patrick Howard, CISO at the Nuclear Regulatory Commission, said compliance is measured differently by various agencies, and the bill aims to provide some consistency across the government.
“There is going to be a need for some implementing instructions from the Office of Management and Budget, the [U.S] Computer Emergency Readiness Team, the National Institute of Standards and Technology, [and] others in order for us to really comply,” he said. “They need to really help us define what the requirements are.”