Sens. Carper, Lieberman introduce data security legislation

Sen. Thomas Carper, D-Del., has introduced legislation that would standardize federal inspectors' general information security audits; create a council to write best practices and guidelines for data security; and strengthen the role of chief information security officers across the government. The proposal comes after several IT hearings in the Homeland Security Federal Financial Management Subcommittee, which Carper chairs.

Comment on this article in The Forum.The bill, co-sponsored by Homeland Security and Governmental Affairs Chairman Joseph Lieberman and introduced late Thursday, would give new powers to the Homeland Security Department to conduct "red team" penetration tests against civilian agencies and enhance the ability of Congress to measure the effectiveness of agencies' information security plans. In addition, the proposal would require Homeland Security to submit annual reports to Congress on the government's ability to safeguard sensitive data.

Carper's hearings, which examined how well agencies have reduced information security risks, uncovered countless examples of domestic and foreign cyberattacks on U.S. networks. A March hearing revealed that some officials viewed the comprehensive 2002 law aimed at beefing up federal IT system security merely as a compliance and paperwork exercise. Instead of measuring whether agencies were securing their systems, OMB was measuring whether agencies produced the right documents, witnesses said.

"Measuring an agency's compliance does not stop the countless examples of data loss due to negligence or willful intent," Carper said in a statement. "Missing or stolen data could potentially cause harm to many individuals, companies or the federal government if information fell into the wrong hands." Sen. Tom Coburn, R-Okla., the ranking member of the subcommittee, has not taken a position on Carper's bill but supports its underlying goal, a spokesman said today.

Carper's bill comes on the heels of another measure that he and Homeland Security and Governmental Affairs ranking member Susan Collins introduced in July that would more effectively manage the $71 billion that agencies spend annually on IT. That legislation would require agencies to routinely report to Congress on significant shortfalls in the cost, schedule, and performance of their IT programs. The bill would also create an "IT Strike Force" to help troubled agencies make better spending decisions.

Karen Evans, OMB's administrator for e-government and information technology, issued a statement today saying that she supports making "appropriate changes" to federal information security laws "to address the goal of reducing risk and managing risk associated with government information and information systems." She did not comment on Carper's legislation but said "we look forward to working with Congress to achieve this goal."