Davis bill reinforces security rules

OMB GISRA report

Rep. Tom Davis (R-Va.) introduced a bill March 6 that would beef up congressional oversight of federal information security management, drawing initial praise from agencies and security experts and criticism from observers who say the bill needs more teeth.

The legislation would update and extend the Government Information Security Reform Act of 2000, which consolidated many federal security policies and mandates into a single law and required an annual assessment to track compliance with those regulations.

GISRA expires Nov. 29, but the Federal Information Security Management Act (FISMA) would give Congress permanent oversight of agency security matters. The bill also expands the information that agencies must submit to Congress, including plans for fixing security problems.

Under GISRA, agencies provide detailed security reports to the Office of Management and Budget, which then gives a summary to Congress. At a hearing last week, members of Congress and the General Accounting Office said the summaries were not sufficient.

The lack of corrective-action plans leaves Congress in the dark about the status of agencies' security, said Rep. Janice Schakowsky (D-Ill.), ranking member of the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee.

GAO officials, who are reviewing the implementation of GISRA for the subcommittee, also are concerned about the lack of access to full reports and action plans, because it makes it hard for Congress to tell how well agencies are complying with the security mandates and to decide how much funding needs to be provided, said Robert Dacey, director of information security issues at GAO.

Beyond more detailed reporting, FISMA would require agencies to follow security standards developed by the National Institute of Standards and Technology and to make use of NIST security tools, such as its security assessment questionnaire.

FISMA also directs OMB to create a central office to collect information on security incidents at agencies. Several organizations collect such information now, including the Federal Computer Incident Response Center, the Critical Infrastructure Assurance Office and the analysis and warning section of the National Infrastructure Protection Center.

At the same hearing last week, administration officials praised GISRA for raising security awareness and welcomed an attempt to extend it with FISMA.

The fact that the assessments had the attention of top agency managers meant that officials are getting the chance to fix those problems, said Robert Gorrie, deputy director of the Defensewide Information Assurance Program, testifying at the subcommittee hearing.

OMB officials also are pleased by the progress made in helping agency managers understand their security responsibilities, said Dan Chenok, director of the information policy and technology branch in OMB's Office of Information and Regulatory Affairs.

OMB now makes security discussions part of the budget process, but awareness started with GISRA, Chenok said.

The accountability in the annual GISRA assessments would be difficult to replace, he said at a March 7 meeting of the federal Computer System Security and Privacy Advisory Board.

Still, some security experts say that FISMA is not enough to correct years of security problems.

None of the new requirements really force agencies to make the jump from planning to action, said Alan Paller, research director at the SANS Institute, a security education and consulting organization. "They're not really measuring whether or not the systems are safe...and without that, it's just a mechanism to get management attention," he said.

The bill fills some gaps in the current legislation, but now Congress must follow through by giving agencies the money they need to fix the problems found in the assessments, said Shannon Kellogg, vice president of information security programs at the Information Technology Association of America.

"We are in favor of strengthening requirements...but Congress needs to step up to the plate and authorize funding," Kellogg said. "If you're going to have GISRA with teeth, then you're going to have to have GISRA with funding."

***

At a Glance

Some provisions of the Federal Information Security Management Act:

* Requires agency chief information officers to perform self-assessments and inspectors general to perform independent assessments annually on the effectiveness of agencies' security programs, any deficiencies and the progress of any corrective actions.

* Creates a central information security incident center.

* Creates an Office of Information Security Programs within the National Institute of Standards and Technology to coordinate and develop standards, tools and guidelines for agencies.