Momentum growing to strengthen information security requirements

Agency and White House officials told a House panel on Tuesday that because information security laws have failed to keep government networks safe from cyberattacks, the Obama administration plans to draw up new performance metrics to continually identify security risks.

The 2002 Federal Information Security Management Act, which requires agencies to identify computer systems and deploy security controls, doesn't fully protect federal systems against cyberattacks, Vivek Kundra, federal chief information officer at the Office of Management and Budget told the House Government Management, Organization and Procurement Subcommittee.

"While the current reporting metrics may have made sense when FISMA was enacted, they are trailing, rather than leading, indicators," he said. "We need metrics that give insight into agencies' security postures and possible vulnerabilities on an ongoing basis."

The information that agencies collect as required by FISMA doesn't accurately reflect how secure their networks are, and the processes to collect the information are cumbersome and time-intensive, Kundra said. The federal community focuses too much on compliance and not outcomes, he added.

"Government often likes to do what can be measured easily," said Rep. Gerry Connolly, D-Va. "The question is, are we more secure today than when we passed FISMA? The answer to that is more problematic than we want to admit."

Almost all 24 major agencies that submit FISMA reports identified weaknesses in one or more areas of information security controls in fiscal 2008, despite reporting increased compliance in deploying key information security practices required by FISMA, the Government Accountability Office reported. Thirteen agencies reported significant deficiencies, and seven agencies told of material weaknesses in information security.

"If you look at legislation in general, the challenge is keeping up with the evolving threat," Kundra said. "We need to be able to monitor agencies more on a real-time basis, rather than on an annual or quarterly basis. We have to ensure the metrics we're looking at move us in that direction."

Sen. Tom Carper, D-Del., introduced this month the 2009 U.S. Information and Communications Enhancement Act, which would significantly change FISMA by requiring the White House to establish specific standards to instruct agencies on how to actively monitor and fix security holes in computer systems.

OMB is working with the federal Chief Information Officers Council and agencies' chief information security officers, inspectors general, and the National Institute of Standards and Technology to develop metrics that predict security vulnerabilities and reflect their information security status.

Kundra said the 60-day review of cybersecurity policies and efforts ordered by President Obama would improve information security governmentwide. Results of the review are expected to be released any day.

Jacquelyn Patillo, acting CIO at the Transportation Department, said the private sector should help enhance information security requirements or develop new ones. "Partnerships between the public and private sector to develop more intuitive and proactive mechanisms for prevention and detection of harmful behavior will facilitate a paradigm shift from a reactive mode to a more dynamic and proactive one," she said.

Patillo also recommended linking information security requirements with capital planning at agencies to ensure the appropriate money is set aside to pay for security putting practices.

Connolly and Rep. Diane Watson, D-Calif., subcommittee chairwoman, said Congress should pass legislation that would improve information security so advances live on after the Obama administration. "We need to work together," Connolly said. "There are changes that need to be made to the legislation, but this committee has to address that on a statutory basis."