The bill, called the U.S. Information and Communications Enhancement Act of 2009, would update the Federal Information Systems Management Act, passed in 2002, to require federal agencies to take steps to secure their computer networks. Among other things, the new bill would require, "to the extent practicable," more continuous monitoring of systems and measurement of the effectiveness of agencies' cybersecurity measures.
Today, FISMA requires every federal agency to put in place strategies to inventory their information systems, categorize them according to risk, carry out contingency planning and periodic risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.
However, while FISMA has focused government attention on information security, it hasn't given chief information security officers the power or the best tools to effectively secure their systems, said Bruce Brody, chief security officer at the Analysis Group and a former federal CISO at two agencies, in an interview. "FISMA has gotten us to the 50-yard line, but it isn't going to get us to the end zone," he said. Many FISMA critics, Brody included, say the law focuses too much on generating reports that don't actually ensure system security.
Carper's bill is a reworked version of one he introduced last year that made it out of committee but never came up for a full vote, and comes amid a flurry of government cybersecurity news, soon after the introduction of other cybersecurity legislation in Congress, and as the White House finalizes a cybersecurity review. It also comes on the heels of reports that the government's electrical grid and sensitive Air Force systems have been compromised by hackers and an announcement that the Department of Defense has spent $100 million defending against cyberattacks in the last six months alone.
The new bill would establish a National Office for Cyberspace that would oversee the execution of cybersecurity policies and procedures in government. Another bill recently introduced by Sen. John D. Rockefeller IV, D-W.Va., and Olympia Snow, R-Maine, would create a similar office.
The bill would also require penetration tests be carried out periodically to see just how vulnerable systems are and what needs to be done to mitigate those risks. It also explicitly sets the role of government CISOs.
It would give more weight to government-wide cybersecurity standards being developed by the National Institute of Standards and Technology, which could create a more consistent security posture across government. The U.S. Computer Emergency Readiness Team would be given the power to direct the sponsorship of security clearances for employees working in cybersecurity, which should make it easier for US-CERT to share information on attacks with federal agencies.
Missing from this bill are a few measures included in the earlier version, including the creation of a council of government CISOs and requirements that systems that don't meet certain security standards be remediated before being allowed to connect to government networks.
InformationWeek Analytics has published an independent analysis on government IT priorities. Download the report here (registration required).