Senate panel rejects weakening FISMA bill

The Senate Homeland Security and Governmental Affairs Committee today considered a bill that would raise the bar for agencies to prove that they adequately protect sensitive information, and rejected an amendment that would weaken the measure. Under the provisions of the Federal Information Security Management Act of 2008, S. 3474, agencies would implement security measures to fit the risk and degree of harm that would result from the loss of an agency's information, or from unauthorized access to that information. The bill would provide for the Homeland Security Department to conduct penetration testing of civilian agencies’ systems and for Congress to evaluate agencies’ information security plans. The legislation would also establish a Chief Information Security Officers Council so agency CISOs could share best practices. The measure also would enlarge the authority of agency CISOs to enforce compliance in consultation and collaboration with the chief information officer. Under current law, the CISO’s job is to assure compliance. The committee will vote on the bill later today or on Sept. 18, said Sen. Tom Carper (D-Del.), chairman of the committee’s Federal Financial Management, Government Information, Federal Services and International Security Subcommittee. He introduced the measure earlier this month. The measure would amend the original FISMA legislation, which outlined compliance activities for agencies to meet each year. However, many agencies have turned FISMA compliance into a paperwork exercise, Carper said. “Measuring an agency’s compliance does not stop the countless examples of data loss due to negligence or willful intent,” he said. The committee rejected an amendment by Sen. Tom Coburn (R-Okla.), ranking member of the subcommittee, to strike the establishment of the CISO council from the bill. He noted that the CIO Council already has information security responsibilities and said such a new council would cost money. “I don’t want to create another layer of bureaucracy that would make us more inefficient,” Coburn said. Carper said CIOs primarily develop and oversee policy, but the CISO handles the daily information security activities. He suggested that a CISO council could have a sunset date of two or three years. If the council demonstrated benefits, it could be extended, Carper said. Also, the bill would standardize information security audits performed by agency inspectors general and require that DHS report to Congress on the government’s ability to safeguard sensitive information.