Government // Cybersecurity
News
4/30/2009
04:57 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bill Would Shift Government Cybersecurity Requirements

The U.S. Information and Communications Enhancement Act of 2009 would require more continuous monitoring of systems and effectiveness of agencies' cybersecurity measures.

A new bill introduced this week by Sen. Tom Carper, D-Del., would change the way government agencies manage cybersecurity.

The bill, called the U.S. Information and Communications Enhancement Act of 2009, would update the Federal Information Systems Management Act, passed in 2002, to require federal agencies to take steps to secure their computer networks. Among other things, the new bill would require, "to the extent practicable," more continuous monitoring of systems and measurement of the effectiveness of agencies' cybersecurity measures.

Today, FISMA requires every federal agency to put in place strategies to inventory their information systems, categorize them according to risk, carry out contingency planning and periodic risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.

However, while FISMA has focused government attention on information security, it hasn't given chief information security officers the power or the best tools to effectively secure their systems, said Bruce Brody, chief security officer at the Analysis Group and a former federal CISO at two agencies, in an interview. "FISMA has gotten us to the 50-yard line, but it isn't going to get us to the end zone," he said. Many FISMA critics, Brody included, say the law focuses too much on generating reports that don't actually ensure system security.

Carper's bill is a reworked version of one he introduced last year that made it out of committee but never came up for a full vote, and comes amid a flurry of government cybersecurity news, soon after the introduction of other cybersecurity legislation in Congress, and as the White House finalizes a cybersecurity review. It also comes on the heels of reports that the government's electrical grid and sensitive Air Force systems have been compromised by hackers and an announcement that the Department of Defense has spent $100 million defending against cyberattacks in the last six months alone.

The new bill would establish a National Office for Cyberspace that would oversee the execution of cybersecurity policies and procedures in government. Another bill recently introduced by Sen. John D. Rockefeller IV, D-W.Va., and Olympia Snow, R-Maine, would create a similar office.

The bill would also require penetration tests be carried out periodically to see just how vulnerable systems are and what needs to be done to mitigate those risks. It also explicitly sets the role of government CISOs.

It would give more weight to government-wide cybersecurity standards being developed by the National Institute of Standards and Technology, which could create a more consistent security posture across government. The U.S. Computer Emergency Readiness Team would be given the power to direct the sponsorship of security clearances for employees working in cybersecurity, which should make it easier for US-CERT to share information on attacks with federal agencies.

Missing from this bill are a few measures included in the earlier version, including the creation of a council of government CISOs and requirements that systems that don't meet certain security standards be remediated before being allowed to connect to government networks.


InformationWeek Analytics has published an independent analysis on government IT priorities. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.