Bill to beef up info security

A bill was introduced last month that would centralize the authority for security policy, enabling agencies to better secure information systems.

The Government Information Security Act would give the Office of Management and Budget the final say regarding security system policies for information systems. The bill would eliminate the current separation between civilian systems, managed by OMB and the National Institute of Standards and Technology, and national security systems, managed by the National Security Agency.

OMB would be the single point for establishing governmentwide security policies and would work with NIST to develop standards, while federal agencies would be responsible for developing specific security plans that are based on the "appropriate level of risk for the different type of information the agency maintains," said Sen. Joseph Lieberman (D-Conn.), a co-sponsor of the bill.

"We need to ensure that each agency's plan reflects an understanding that computer security must be an integral part of the development process for any new system," he said. "Agencies now tend to develop a system and consider security issues only as an afterthought, if at all."

The bill raises the awareness and importance of information systems security and how it should be integrated into the day-to-day information technology decisions at each agency - a development that the General Accounting Office has called for.

The bill also has provisions for annual independent evaluations of agency security programs and practices, a major change in federal policy, according to Jean Boltz, assistant director of governmentwide and defense information systems at GAO. Agency inspectors general, independent external contractors chosen by the inspectors general or the agency head would conduct the audits. The results must be reported to OMB each March. OMB then would submit a report to Congress.

"GAO has told us that an audit requirement is essential to monitoring agencies' management and information security and to ensure that these systems are kept current," Lieberman said.

GAO has begun to analyze the bill, but officials there already say the bill's basic goals to bring more order to the federal government's security effort is on target, said Jean Boltz, assistant director of governmentwide and defense information systems at GAO.

"Overall, it has some good ideas in it," she said. "It tries to coordinate the information security requirements with information technology requirements in the Paperwork Reduction Act and Clinger-Cohen. It will maybe lead us away from the idea that security needs to be stovepiped."

The act builds on the security provisions within the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996 and the Computer Security Act of 1987 and is not intended to supplant them, said Sen. Fred Thompson (R-Tenn.), chairman of the Senate Governmental Affairs Committee and co-sponsor of the bill.

"This legislation...will update and clarify existing requirements of responsibilities of federal agencies in dealing with information security," Thompson said.

The Governmental Affairs Committee has been involved in computer security issues for many years and introduced the bill at the end of the session to give people a chance to offer suggestions and changes, said Leslie Phillips, spokeswoman for Lieberman.

The committee has been working closely with GAO to develop security best practices guides.

The committee also directed GAO to conduct in-depth tests and assessments of specific agencies' vulnerabilities, including the State Department and the Department of Veteran's Affairs.

GAO found several common problems at agencies, including a lack of defined roles for security policy across government. But the underlying issue in the final GAO report was inadequate security program planning and management.