Cybersecurity moving up on Congress' to-do list, staffer says

Momentum is growing on Capitol Hill for passage of cybersecurity legislation that would update the Federal Information Security Management Act (FISMA) and set policy for protecting the nation’s critical infrastructure, a Senate staffer said today.

“Cybersecurity is an issue that members of Congress are focusing on,” said Deborah Parkinson, senior policy analyst on the Senate Homeland Security and Government Affairs Committee. “There is a large majority on the Hill who want to take action.”

Parkinson, speaking at the Digital Government Institute Cybersecurity Conference in Washington, said legislation could come from information security amendments included in the Defense Department Authorization Bill passed in the House this week, despite differences between the House legislation and a cybersecurity bill now being drafted in the Senate Homeland Security Committee.

She also responded to public concerns about leaked provisions of the committee’s bill that would give the president power to mandate emergency controls on private infrastructure in the event of an “imminent cyber threat.”

“We are not taking over the world; we are not taking over anybody’s networks,” Parkinson said of the bill, which is now in a staff draft and has not been released. She said the president’s authority would be strictly limited in scope and time, and would apply only in extreme situations. “The president needs to have some very limited authorization,” but “the broad vision of a president taking over networks is not a part of what we are doing.”

Related stories:

Consensus growing for reform of flawed FISMA

FISMA reform would elevate White House’s cyber authority

The legislation is being based on FISMA reform bills that have been introduced in recent congressional sessions by committee member Sen. Thomas R. Carper (D-Del.), which would put senior policy coordination and leadership in the White House, and keep it answerable to Congress. It also would change agency requirements for measuring and reporting on security, which has been condemned under the existing FISMA as an endless paper chase.

“We hear time and again that budgets are tied up in doing reports rather than actually doing things that would improve security,” Parkinson said.

Whether cybersecurity updates will remain in the final DOD authorization bill and, if so, what they would look like, still is up in the air.

“The amendments that passed in the house are different from the FISMA legislation that Senator Carper introduced, which is the basis of what we are working on in the committee,” Parkinson said. One concern is that the House language does not specify the role of the Homeland Security Department in protecting government networks. However, she said, “the fact that they moved on FISMA reform is a good thing, and we will work through the differences.”

Until those differences are worked out, changes already are underway in FISMA compliance. The Office of Management and Budget in April issued new requirements for FISMA reporting, focusing more on real-time monitoring of system status rather than static snapshots for certification and accreditation. DHS expects to have new metrics for reporting ready for agencies by Aug. 3. A preliminary framework has been developed that streamlines requirements and focuses on the impact of security controls, said Matt Coose, federal network security director in the DHS National Cybersecurity Division.

“The point is assessing the risk posture,” Coose said.

One focus of the new metrics is automation. As the ability and availability of automated tools for assessing impact and status improves, the compliance metrics will attempt to move agencies toward better use of them, Coose said. But reporting requirements will have to balance between using automated tools and gathering data manually.

“There are a limited set of things today that can be automated,” he said. The first iteration of compliance metrics will probably require about 20 percent automated and 80 percent manual data, but the goal is eventually to shift that to an 80-20 mix.

Former Air Force CIO John Gilligan, also speaking at the event, had some kind words for FISMA.

“I viewed it very positively” when it came out in 2002, he said. “It allowed greater focus on cybersecurity at a time when cybersecurity was not center-stage.”

He said that it was straightforward and well written, but that compliance requirements, which were worked out in standards and regulations after the law was passed, were ineffective and became burdensome. “The guidance was overwhelming for most organizations.”

He said the direction in which cybersecurity needs to move is toward more automation, use of standards such as the Security Compliance Automation Protocols developed by the National Institute of Standards and Technology and the NSA, and prioritizing with the use of tools such as the Consensus Audit Guidelines of 20 critical security controls.