FISMA Reform Bill Due TuesdayLegislation Strengthens White House IT Security Role
Erik Hopkins' presentation provided further evidence that the White House could assume greater control in coordinating federal government security. In the panel - The New FISMA: Security Finally Transcends Compliance - Hopkins offered a diagram illustrating the bill that showed a cyber office reporting directly to the president.
Hopkins, who works for the Senate Committee on Homeland Security and Governmental Affairs, was the third federal official addressing conference attendees to suggest the White House will be given more authority in safeguarding federal government information systems. On Wednesday, Obama administration cybersecurity advisor Melissa Hathaway - who last week submitted to the president an assessment of federal cybersecurity policy - said the White House must lead federal government cybersecurity efforts. A day before, National Security Agency Director Keith Alexander said NSA would not lead the nation's cybersecurity efforts, suggesting a greater role for the White House.
Hopkins said the benefits of FISMA reform includes improved coordination of security efforts, better economies of scale and greater situational awareness of security threats such as knowing where they originate and how the government will respond.
Among the objectives of the new legislation, according to Hopkins:
- Create clear lines of responsibility and authority over security matters;
- Coordinate security efforts among civilian, military, intelligence and private sector organizations; and
- Establish new metrics of success, including where and how money is spent on security.
Indeed, a major criticism of current regulations borne from the 2002 law is that they measure whether departments and agencies comply with the rules and not whether the IT systems and data are truly secure. The government "measures the wrong things in the wrong way, and it fails to measure the right things," said Bruce Brody, vice president for cybersecurity and chief security officer at The Analyst Group, who participated in the same conference panel as Hopkins.
That's a point also made by one of the chief sponsors of the FISMA reform, Delaware Democratic Sen. Tom Carper (pictured above), who in an earlier interview with GovInfoSecurity.com said: "Our sense is that too often we have agencies who manage what we call paper compliance rather than really addressing the security of their networks. We want to go beyond paper compliance. We want to the best of our ability just ensure that our networks are more secure."
Hopkins expanded on their points, outlining these key challenges of the government now faces:
- No one person is accountable for information security;
- More than 12 different agencies claim responsibility for cybersecurity;
- There is no coordination among military, civilian and intelligence entities; and
- Civilian agencies operate independently and spend money on questionable results.
By pushing for reform, Brody said, the message to government chief information security officers is: "We're undergoing a transformation from compliance to security."