Within days, the State Department can tell which systems have and have not been patched. When State CISO John Streufert learned of the critical problem posed by the Aurora vulnerability, he didn't have to send an e-mail. The process was automated.
"Folks should not be fearful that if they don't have the skill set, they have to go find a new job because it's my responsibility to make sure that ... we are going to retrain them," says Jerry Davis, NASA deputy chief information officer for security.
The Protecting Cyberspace as a National Asset Act also would replace paper-based FISMA compliance with continuous monitoring of technology systems and assaults by "friendly hackers" to test IT vulnerabilities.
The House-approved Defense Authorization Act includes provisions to establish a White House Office of Cyberspace with a Senate-confirmed director and update the 8-year-old Federal Information Security Measurement Act.
The legislation would replace the paper-compliance process established under the Federal Information Security Management Act eight years ago with one relying on the continuous monitoring of agencies computer assets.