FISMA Reforms Outlined: Senator Tom Carper

Reform legislation is expected to be introduced this spring to update the Federal Information Security and Management Act, known as FISMA. A major complaint about FISMA is that complying with its rules does not necessarily guarantee departmental and agency information systems are secure. In this exclusive interview, Sen. Tom Carper, chairman of the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, discusses:
Key provisions in the bill to improve ways to measure and determine the security of federal government information systems;
Efforts to create a government-wide Chief Information Security Officer Council;
His views on the most pressing cybersecurity challenges facing the nation: identity theft and the viability of financial institutions and threats by foreign nations to federal information systems.

Tom Carper has held elective office for 32 consecutive years, ever since 1976 when Delaware voters tapped him to be state treasurer. In 1982, the Democrat was elected to the House of Representatives. After serving five terms in the House, voters elected him as governor in 1992 and again in 1996. Carper was elected to the Senate in 2000 and reelected in 2006. Besides chairing the subcommittee that provides oversight for federal government information security, Carper heads the Clean Air and Nuclear Safety Subcommittee and serves on the Finance Committee. He also is the Deputy Whip of the Senate's Democratic Party majority.

ERIC CHABROW: Hi, I'm Eric Chabrow of and welcome to our podcast interview. Today, our guest is Senator Tom Carper, the Delaware Democrat who chairs the Subcommittee on Federal Financial Management, Government Information and International Security. Part of the Senate Homeland Security and Government Affairs Committee, the Carper-led panel provides oversight on a federal government information security matters.

Senator, thank you for joining us. How secure are federal information networks and systems?

SENATOR CARPER: We are targeted every day; not just by kids or pranksters out to see if they can get into our databases and personnel information is obviously sensitive information, but we are targeted every day by criminal elements.

We are targeted every day by sovereign nations. In some cases they are trying to steal our plans for nuclear submarines, or communication systems, radar systems, so that they can short circuit their time needed to develop the latest weapons system. It happens every day and it is literally happening right now. They are coming after us and there is some serious matter, very serious.

CHABROW: Are you confident that our systems can protect us from them?

CARPER: Most of the time we do, but one of my cardinal principles is to focus on perfection in everything we do. I say if it isn't perfect, make it better. And, as hard as we try to protect our sensitive information from kids or from criminal elements or from nations that wish us ill, we can do better. In their eyes, perfecting their skills and their ability to hack into our systems (means) we just have to continue to improve.

CHABROW: What cybersecurity threats worry you the most?

CARPER: Two concerns; one is I always worry about identity theft and I worry about criminal elements stealing people's identities and being able to really reek damage on their personal finances and also to undermine the stability of our financial institutions.

And the other concern deals with the threat posed by a sovereign nation. The Chinese have built quite a reputation for their efforts to try to obtain our information relating to weapons systems development.

Also, I think if you look at the invasion of parts of Georgia by the Russians, they caused great calamity within the country of Georgia and their efforts to really interrupt the transmission of electricity and other information to that nation. It really showed a new way to wage war and a very effective way to cripple a nation and bring them to their knees aside from the [conventional] fight.

CHABROW: When will you introduce the bill updating FISMA, the Federal Information Security Management Act?

CARPER: When it is introduced to legislation by the spring. We have a new administration coming into office, senior leadership is being named and we want to give them a chance to settle into their new positions and as people come before us for confirmable positions on issues that we have an interest in, we are asking to meet with those people and to be able to let them know of our interest and this particular issue, cybersecurity, find out what thoughts they have about cybersecurity and then for us to use the confirmation process to reinforce our interest and to ask what they would like to do.

The idea is that once they get settled in, we'll have an opportunity to clearly signal to the new team, the new leadership team coming in that this is something that is an area that we have held hearings on and we have sought to legislate on already and we very much want to do that in this new Congress with this new administration, but to do it in a partnership. Not our way or the highway, but in a real partnership.

We could introduce legislation (now), but I don't know that that would be reflective of the type of the partnership, creative partnership that I would prefer. The idea is just to learn what is good about what we have proposed and what changes we may want to consider and what makes little sense in what we have proposed.

CHABROW: FISMA was enacted in 2002. Did it do what it was intended to do? What necessitates a change now?

CARPER: Our sense is that too often we have agencies who manage what we call paper compliance rather than really addressing the security of their networks, we want to go beyond paper compliance. We want to the best of our ability just ensure that our networks are more secure.

CHABROW: How do you do that?

CARPER: I chair another subcommittee that deals the safety of nuclear power plants and one of the things that the nuclear industry does is force-on-force activities where teams of trained nuclear plant security personnel will take on the identity of a hostile exterior force and literally attempt to take over a nuclear power plant, to overcome the security systems and people in place to protect the nuclear power plant. We call that a force-on-force exercise. They happen frequently across the country in our hundred plus nuclear power plants.

What we have in mind is requiring Homeland Security to conduct something similar, what we call them red team operational evaluations against our own networks and use what we think are likely vulnerabilities that bad guys and gals can exploit.

CHABROW: Would these force on force exercises be written into the reform legislation?

CARPER: We think it should be part of the law. I think with nuclear power plants, I think it is part of the law and we think it makes sense to do it here, too.

CHABROW: What other provisions will be in the reform legislation?

CARPER: There is a council of chief information officers. Among their concerns are security concerns. There is also a post called chief information security officers. We have talked to a number of them and heard from other folks recommended to us that we create a council of chief information security officers, where the folks within agencies who are responsible for security of their information systems meet on a regular basis and share ideas, actually share the information about the threats that they not only fear could occur but actually are happening every day. What are the tactics the bad guys are using across government in different agencies that we have to combat against. Second, to understand what some agencies are using to protect their sensitive information and what is working to deter the bad guys.

What we have in mind is a council of chief information security officers who can share with one another what threats they are facing, how they are dealing with those threats, what is working and what is not working.

CHABROW: And nearly all agencies in the departments, the chief information security officers report to the chief information officer. Will that reporting structure remain in your bill?

CARPER: We believe the chain of command is fine as it is.

CHABROW: And why so?

CARPER: We just want to make sure that our chief information security officers are talking with one another, sharing information with each other and helping one another.

CHABROW: What kind of metrics should be written into the legislation to assure government IT systems are secure?

CARPER: Let's stay with the idea of the metrics. We have different agencies that have different ways of measuring, if you will, just how secure they are and across the government we are using different standards to be able to measure how secure that we are being.

I don't know if that is a smart approach and it may be impossible at the end of the day to have one standard of objectively measuring performance protecting our sensitive information. I think there is reason to believe we should move closer to that goal than further away.

CHABROW: Are you looking to the private sector for ideas how best to measure IT security?

CARPER: As it turns out we have had in one of the hearings we had some of the most valuable testimony we had actually came from the private sector in making suggestions as to how we could better protect our sensitive information.

CHABROW: How else can FISMA be reformed to help ensure secure IT systems and networks?

CARPER: One other one deal with trying to figure out how to better use the government's purchasing power to improve security. (Senate staffer) Eric Hopkins, who helps me with this issue, he once said to me that roughly 10 percent of information technology costs are born by the federal government and I don't know that we use that enormous purchasing power to help us obtain commercial solutions that are more secure or more reliable. We ought to find a way to use that purchasing power and I think there is reason to believe we don't.

CHABROW: Will defining how to purchase secure IT products become part of the bill?

CARPER: Oh yeah. I think it has been an element and it will be going forward.

CHABROW: How much would information security reform cost taxpayers?

CARPER: I think it is nominal, but the potential for saving, particularly if we can find a way to capitalize on our purchasing power ... I think the potential is more likely that we will save some money.

CHABROW: And it will pass this year?

CARPER: It is going to pass. The president is going to sign it in the Rose Garden on my birthday. We spent a good part of last year trying to learn what needed to be done. I think we have a good idea. I see that spending the first part of this year in getting to know the new administration and the key players in the administration and getting their ideas and see what changes we ought to make in the legislation and then trying to move it.

And not just move it through committee but move it through the Senate and to partner with our friends in the House. Sometimes we focus a whole lot on just getting something through the Senate without thinking about the executive branch or thinking about the House and it has got to be that we think of those two as well, the administration and our House colleagues.

CHABROW: By working with the House and the Obama Administration, Senator Carper is lining up his ducks to try to get FISMA reform passed this year. If that's the case, he won't get his wish of President Obama signing the legislation on his birthday. You see, the senator's birthday is January 23rd.

I'm Eric Chabrow of Thanks for listening and please join us next time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.