Davis reinforces security rules

OMB GISRA report

Rep. Tom Davis (R-Va.) introduced a bill March 6 that would update and extend the Government Information Security Reform Act, as members of Congress expressed concern over current legislation.

Besides permanently reauthorizing GISRA, which is due to expire Nov. 29, Davis' Federal Information Security Management Act (FISMA) requires agencies to follow security standards and tools developed by the National Institute of Standards and Technology. Under current legislation, those standards are simply recommendations.

"In general, FISMA streamlines GISRA's provisions and requires that agencies utilize information security best practices that will ensure the integrity, confidentiality and availability of federal information systems," Davis testified before the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee.

Those best practices would include the security assessment questionnaire developed by NIST last year. Many agencies are using that tool already, and this month NIST will release the first automated version of the questionnaire, according to Joan Hash, manager of the NIST Computer Security Division's security management and guidance group.

The bill also addresses one of the primary concerns of congressional officials: reporting requirements.

GISRA's primary provision is the annual security assessments that every agency chief information officer and inspector general must turn in to the Office of Management and Budget. At the hearing, held by subcommittee chairman Rep. Stephen Horn (R-Calif.), several officials raised concerns about GISRA reporting requirements. Part of the reason for the short sunset date on GISRA was to give Congress time to examine the bill, which passed at the end of the session in 2000 with very little discussion. A number of problems already have become apparent, said Rep. Janice Schakowsky (D-Ill.), ranking member on the subcommittee.

One main problem is the fact that GISRA does not require agencies to provide Congress with their entire report, only a summary that goes through OMB, she said. OMB released the first of these reports last month. The fact that Congress sees only this summary means members did not get to see any of the agencies' corrective action plans, leaving them in the dark about the status of agencies' security, she said.

The General Accounting Office is reviewing the implementation of GISRA for the subcommittee. GAO officials also are concerned about the lack of access to full reports and action plans, because it limits Congress' ability to oversee agencies' compliance and hampers current-year budget deliberations, said Robert Dacey, director of information security issues at GAO.

Davis' bill addresses this issue by requiring OMB to include in its annual report to Congress not only the summary of findings and deficiencies, but also "planned remedial actions to address such deficiencies."