FISMA Reform Bill Clears House CommitteeMeasure Would Create Senate-Confirmed Cybersecurity Director
Known as the Federal Information Security Amendments Act of 2010, or HR 4900, the bill would establish a National Office for Cyberspace in the White House to oversee IT security in civilian agencies that would be headed by a director who would require Senate confirmation.
To assure the safety of government information systems, the legislation would replace the current paper compliance process established under the Federal Information Security Management Act of 2002 with one relying on the continuous monitoring of agencies computer assets. The FISMA-based check-list process has been deemed ineffective in determining whether IT systems are truly secure, and considered by many government IT managers as a waste of time and money.
Another provision of the bill would codify the position of federal chief technology officer, who would be charged to seek out technology solutions to protect government and private-sector IT systems. The current federal CTO, Aneesh Chopra, works in the White House Office of Science and Technology Policy. HR 4900 would establish a separate White House Office of Federal CTO. Unlike an earlier amended version of the bill approved by a subcommittee, which called for Senate confirmation, the CTO under the measure passed by the committee would not require the Senate's blessing.
The current top IT security officer in the White House is Cybersecurity Coordinator Howard Schmidt, who holds the post created last year by the president's regulatory authority; his appointment did not require Senate confirmation. That's a sore point with many lawmakers, because Schmidt isn't required to report to Congress. Under the committee-approved bill, the cyberspace director would make periodic reports to Congress and would be expect to testify before congressional panels.
The approved amended version of the bill sponsored by Committee Chairman Edolphus Townes, D.-N.Y., and ranking minority member Darrell Issa, R.-Calif., stripped language that would have given the cyberspace director authority to review the IT security budgets of civilian agencies. Still, the approved measure grants the director authority to approve agencies' IT security programs.
The amended bill also is explicit that the cyberspace director has limited authority over Defense and intelligence IT systems.
Other provisions of the bill would:
- Institute a Federal Cybersecurity Practice Board within the National Office of Cyberspace - chaired by the director - charged with developing the processes agency would follow to defend their IT systems. Board members would come from the Office of Management and Budget, Department of Defense and select members from civilian and law enforcement agencies. The policies the board would develop include minimum security controls, measures of effectiveness for determining cyber risk and remedies for security deficiencies.
- Establish requirements for agencies to undertake automated and continuous system monitoring to identify system compliance, deficiencies and potential risks. These activities would move agencies away from manually intensive periodic assessments that fail to incorporate emerging tends or information about an agency's current security posture.
- Oblige agencies and contractors managing government systems to obtain an annual, independent audit of their IT programs to determine their overall effectiveness and compliance with FISMA requirements.
- Establish requirements for the purchase of secure commercial, off-the-shelf IT products and services as well as policies for mitigating supply chain risks associated with those products.
Authorize the National Office of Cyberspace director to approve policies for the operation of a central federal information security incident center.
A similar bill revising FISMA is before the Senate, the United States Information Communications Enhancement Act, or U.S. ICE, sponsored by Sen. Tom Carper. D.-Del. That measure is likely to be modified, and incorporated into a larger cybersecurity bill being drafted by Senate Homeland Security and Government Affairs Committee Chairman Joseph Lieberman, I-Conn.
HR 4900 is one of some 40 cybersecurity bills before Congress, according to a report issued this week by Melissa Hathaway, the former White House cybersecurity official who conducted President Obama's 60-day cyberspace review last year.