Bill Would Shift Government Cybersecurity Requirements - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
04:57 PM
Connect Directly

Bill Would Shift Government Cybersecurity Requirements

The U.S. Information and Communications Enhancement Act of 2009 would require more continuous monitoring of systems and effectiveness of agencies' cybersecurity measures.

A new bill introduced this week by Sen. Tom Carper, D-Del., would change the way government agencies manage cybersecurity.

The bill, called the U.S. Information and Communications Enhancement Act of 2009, would update the Federal Information Systems Management Act, passed in 2002, to require federal agencies to take steps to secure their computer networks. Among other things, the new bill would require, "to the extent practicable," more continuous monitoring of systems and measurement of the effectiveness of agencies' cybersecurity measures.

Today, FISMA requires every federal agency to put in place strategies to inventory their information systems, categorize them according to risk, carry out contingency planning and periodic risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.

However, while FISMA has focused government attention on information security, it hasn't given chief information security officers the power or the best tools to effectively secure their systems, said Bruce Brody, chief security officer at the Analysis Group and a former federal CISO at two agencies, in an interview. "FISMA has gotten us to the 50-yard line, but it isn't going to get us to the end zone," he said. Many FISMA critics, Brody included, say the law focuses too much on generating reports that don't actually ensure system security.

Carper's bill is a reworked version of one he introduced last year that made it out of committee but never came up for a full vote, and comes amid a flurry of government cybersecurity news, soon after the introduction of other cybersecurity legislation in Congress, and as the White House finalizes a cybersecurity review. It also comes on the heels of reports that the government's electrical grid and sensitive Air Force systems have been compromised by hackers and an announcement that the Department of Defense has spent $100 million defending against cyberattacks in the last six months alone.

The new bill would establish a National Office for Cyberspace that would oversee the execution of cybersecurity policies and procedures in government. Another bill recently introduced by Sen. John D. Rockefeller IV, D-W.Va., and Olympia Snow, R-Maine, would create a similar office.

The bill would also require penetration tests be carried out periodically to see just how vulnerable systems are and what needs to be done to mitigate those risks. It also explicitly sets the role of government CISOs.

It would give more weight to government-wide cybersecurity standards being developed by the National Institute of Standards and Technology, which could create a more consistent security posture across government. The U.S. Computer Emergency Readiness Team would be given the power to direct the sponsorship of security clearances for employees working in cybersecurity, which should make it easier for US-CERT to share information on attacks with federal agencies.

Missing from this bill are a few measures included in the earlier version, including the creation of a council of government CISOs and requirements that systems that don't meet certain security standards be remediated before being allowed to connect to government networks.

InformationWeek Analytics has published an independent analysis on government IT priorities. Download the report here (registration required).

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll