OMB does not support bill to update FISMA

The Bush administration doesn't support legislation introduced late last year that would modify the Federal Information Security Management Act, an administration official testified today.

The bill, sponsored by Reps. William Clay (D-Mo.), Henry Waxman (D-Calif.) and Edolphus Towns (D-N.Y.), would require agencies to develop policies and plans to identify and protect personal information and to develop requirements for reporting data breaches.

Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology, told House members that current activities being undertaken by agencies are closing the performance gaps and the legislation could cause agencies some unplanned problems.

“We want to make sure the changes are improving security,” Evans said after a hearing before the House Oversight and Government Reform Subcommittee on Information Policy, Census and the National Archives and the subcommittee on Government Management, Organization and Procurement. “We have the same goals, but need to work out the details.”

Evans testified that the foundation of FISMA is sound, and the bill could produce some “unintended consequences” that would “seriously impact established agency security and privacy practices while not necessarily achieving the outcomes of improved privacy and security.”

The measure follows OMB’s 06-16 memo from June 2006 that requires agencies to encrypt personal data using standards that would make the information unusable by unauthorized persons. The legislation also would mandate that agencies establish “minimum requirements regarding the protection of information maintained or transmitted by mobile digital devices.”

The bill also would require agencies to report data breaches in a timely manner to OMB and the Homeland Security Department’s U.S. Computer Emergency Response Center, and it also addresses security for peer-to-peer networks.

Clay said at the hearing that although some real progress has been made under FISMA, he is concerned whether the current requirements and OMB policies are enough to protect agencies from the onslaught of attacks.

“The bill would move us toward more rigid security requirements while staying within the FISMA framework,” he said.

Over the last five years, FISMA has been widely criticized because some agencies are merely  complying with its requirements and not actually improving network security. Although this criticism as waned recently, many say im provements to FISMA are necessary.

“The key change we need is to prioritize actions in FISMA,” said Alan Paller, director of research for the Sans Institute. “Agencies need to do what is most important first. Industry finds out where the attacks are coming from and fixes that area first and then worries about the rest.”

Greg Wilshusen, the Government Accountability Office’s director of information security issues, said that despite agencies' efforts to implement better IT security through FISMA, 20 of 24 major departments had inadequate information security controls that were either significantly deficient or had a material weakness.

Tim Bennett, president of the Cyber Security Industry Alliance, said that while FISMA has led to some success, his group would like to see eight changes through the Clay’s bill. Some of these include giving chief information officers and chief information security officers the authority they need to direct  budget and personnel needs. He called for continuous monitoring and assessments, improved performance measurement and incentives so agencies make information security a higher priority.

Rep. Tom Davis (R-Va.), author of FISMA, said the government must be more proactive instead of reactive with the goal of security, not compliance.

“I think we can make FISMA better,” he said. “I hope we can agree on the right language.”