Legislation , Legislation & Litigation

FISMA Reform Bill Due Tuesday

Legislation Strengthens White House IT Security Role
FISMA Reform Bill Due Tuesday
Legislation to reform the Federal Information Security Management Act of 2002 will be introduced in the Senate on Tuesday, a Senate staffer who helped draft the bill told a panel at the RSA Conference in San Francisco on Thursday.

Erik Hopkins' presentation provided further evidence that the White House could assume greater control in coordinating federal government security. In the panel - The New FISMA: Security Finally Transcends Compliance - Hopkins offered a diagram illustrating the bill that showed a cyber office reporting directly to the president.

Hopkins, who works for the Senate Committee on Homeland Security and Governmental Affairs, was the third federal official addressing conference attendees to suggest the White House will be given more authority in safeguarding federal government information systems. On Wednesday, Obama administration cybersecurity advisor Melissa Hathaway - who last week submitted to the president an assessment of federal cybersecurity policy - said the White House must lead federal government cybersecurity efforts. A day before, National Security Agency Director Keith Alexander said NSA would not lead the nation's cybersecurity efforts, suggesting a greater role for the White House.

Hopkins said the benefits of FISMA reform includes improved coordination of security efforts, better economies of scale and greater situational awareness of security threats such as knowing where they originate and how the government will respond.

Among the objectives of the new legislation, according to Hopkins:

  • Create clear lines of responsibility and authority over security matters;
  • Coordinate security efforts among civilian, military, intelligence and private sector organizations; and
  • Establish new metrics of success, including where and how money is spent on security.

Indeed, a major criticism of current regulations borne from the 2002 law is that they measure whether departments and agencies comply with the rules and not whether the IT systems and data are truly secure. The government "measures the wrong things in the wrong way, and it fails to measure the right things," said Bruce Brody, vice president for cybersecurity and chief security officer at The Analyst Group, who participated in the same conference panel as Hopkins.

That's a point also made by one of the chief sponsors of the FISMA reform, Delaware Democratic Sen. Tom Carper (pictured above), who in an earlier interview with GovInfoSecurity.com said: "Our sense is that too often we have agencies who manage what we call paper compliance rather than really addressing the security of their networks. We want to go beyond paper compliance. We want to the best of our ability just ensure that our networks are more secure."

Hopkins expanded on their points, outlining these key challenges of the government now faces:

  • No one person is accountable for information security;
  • More than 12 different agencies claim responsibility for cybersecurity;
  • There is no coordination among military, civilian and intelligence entities; and
  • Civilian agencies operate independently and spend money on questionable results.

By pushing for reform, Brody said, the message to government chief information security officers is: "We're undergoing a transformation from compliance to security."


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.