Bill Would Shift Government Cybersecurity Requirements - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
News
4/30/2009
04:57 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bill Would Shift Government Cybersecurity Requirements

The U.S. Information and Communications Enhancement Act of 2009 would require more continuous monitoring of systems and effectiveness of agencies' cybersecurity measures.

A new bill introduced this week by Sen. Tom Carper, D-Del., would change the way government agencies manage cybersecurity.

The bill, called the U.S. Information and Communications Enhancement Act of 2009, would update the Federal Information Systems Management Act, passed in 2002, to require federal agencies to take steps to secure their computer networks. Among other things, the new bill would require, "to the extent practicable," more continuous monitoring of systems and measurement of the effectiveness of agencies' cybersecurity measures.

Today, FISMA requires every federal agency to put in place strategies to inventory their information systems, categorize them according to risk, carry out contingency planning and periodic risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.

However, while FISMA has focused government attention on information security, it hasn't given chief information security officers the power or the best tools to effectively secure their systems, said Bruce Brody, chief security officer at the Analysis Group and a former federal CISO at two agencies, in an interview. "FISMA has gotten us to the 50-yard line, but it isn't going to get us to the end zone," he said. Many FISMA critics, Brody included, say the law focuses too much on generating reports that don't actually ensure system security.

Carper's bill is a reworked version of one he introduced last year that made it out of committee but never came up for a full vote, and comes amid a flurry of government cybersecurity news, soon after the introduction of other cybersecurity legislation in Congress, and as the White House finalizes a cybersecurity review. It also comes on the heels of reports that the government's electrical grid and sensitive Air Force systems have been compromised by hackers and an announcement that the Department of Defense has spent $100 million defending against cyberattacks in the last six months alone.

The new bill would establish a National Office for Cyberspace that would oversee the execution of cybersecurity policies and procedures in government. Another bill recently introduced by Sen. John D. Rockefeller IV, D-W.Va., and Olympia Snow, R-Maine, would create a similar office.

The bill would also require penetration tests be carried out periodically to see just how vulnerable systems are and what needs to be done to mitigate those risks. It also explicitly sets the role of government CISOs.

It would give more weight to government-wide cybersecurity standards being developed by the National Institute of Standards and Technology, which could create a more consistent security posture across government. The U.S. Computer Emergency Readiness Team would be given the power to direct the sponsorship of security clearances for employees working in cybersecurity, which should make it easier for US-CERT to share information on attacks with federal agencies.

Missing from this bill are a few measures included in the earlier version, including the creation of a council of government CISOs and requirements that systems that don't meet certain security standards be remediated before being allowed to connect to government networks.


InformationWeek Analytics has published an independent analysis on government IT priorities. Download the report here (registration required).

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll