FISMA Reform Bill IntroducedMeasure Would Create White House Cyber Director
The National Office of Cyberspace would be headed by an individual who would be nominated by the president and confirmed by the Senate. The legislation does not state to whom within the White House the cyberspace director would report; that will be determined after President Obama announces his cybersecurity agenda.
The bill, known as the United States Information and Communications Enhancement Act of 2009, or U.S. ICE, also would markedly alter the way the government measures IT security. The legislation calls for squads of hackers known as red teams to attack federal systems to determine vulnerabilities. Besides frequent and recurring evaluations of IT systems, the bill would require agencies to provide a remedial plan, including a budget, when vulnerabilities are exposed. These procedures would replace the one-to-three year "paper-based" certification and accreditation process required under FISMA that many in government deem ineffective.
"Instead of agencies wasting precious resources producing security plans that are outdated as soon they are printed, my bill requires agencies to continuously monitor their networks for cyber intrusions and malicious activities, take steps to address their vulnerabilities, and then regularly test whether the steps they are taking to secure their networks are effective," ICE sponsor, Sen. Tom Carper (pictured above), D.-Del., said in remarks introducing the bill.
Another key provision of the bill would standardize across the government security configurations of commercial off-the-shelf IT products and services government agencies purchase. "One of the messages that I heard loud and clear [from IT security experts] is that during the procurement process, we must incorporate security measures right from the start, not afterward through patch work, which means we can save money and we can save time," Carper said in an interview following a subcommittee hearing he chaired.
Indeed, testifying before the full Senate Committee on Homeland Security and Governmental Affairs earlier Tuesday, Allan Paller, research director at the SANS Institute, agreed that standardizing configurations increases security while saving taxpayers money. He cited the Air Force's deployment of a standard configuration across more than a half-million computers. "In the process," Paller said, "the Air Force saved more than $100 million in procurement costs, that same amount annually in operational costs and tens of millions more in energy costs because the standard configuration allowed power-saving use without impacting performance. But even more important is that security patches are now installed in less than 72 hours, instead of the 57 days it took before. And surprisingly, the users are much more content - with help-desk calls reportedly down by 50 percent."
U.S. ICE, if enacted as written, also would require agencies to develop policies and guidance for coordinating incident reports with U.S.- Computer Emergency Readiness Team - the Department of Homeland Security unit that coordinate responses to security threats from the Internet -- and give its director the ability to hire the personnel needed to defend the national security. "The Department of Homeland Security has taken the lead among civilian agencies in protecting the perimeter of the federal government but lacks some of the necessary authority and technical people necessary to realize a more secure civilian cyber space," Carper said.
What's missing from the bill a provision found in an earlier draft is language establishing a Federal Chief Information Security Officer Council. Carper declined to say why that provision was dropped. But, in an interview earlier this month with GovInfoSecurity.com, Navy CIO Robert Carey said collaboration on IT security is best handled through the Federal CIO Council, which has a committee on IT security, which he co-chairs. Carey noted that CIOs along with their agency heads have ultimate responsibility for IT security. Plus, he said, many of the IT security committee participants are CISOs, so there was no need for the CISO Council.
Carper predicted that U.S. ICE will pass the Senate this summer.