A House panel approved and sent to the entire House of Representatives legislation to reform the Federal Information Security Management Act, the 11-year-old law that governs IT security in the federal government.
The bipartisan Federal Information Security Amendments Act of 2013 unanimously passed the House Oversight and Government Reform Committee by a voice vote on March 20. The measure would require federal agencies to continuously monitor their IT systems for cyberthreats and implement regular threat assessments. The legislation, if enacted, would usurp the current FISMA law that heavily relies on a check-list approach to IT security that many people in government contend doesn't truly show how secure agencies' IT systems are [see Is Gov't IT Secure? FISMA Report Can't Tell].
Each agency would be required to designate an official to be chief information security officer under provisions of the bill. An agency's chief information officer could serve simultaneously as CISO; however, the bill would require that information security be the CISO's main focus.
According to the bill, the CISO's responsibilities would include:
- Overseeing the establishment and maintenance of a security operation that through automated and continuous monitoring can detect, contain and mitigate incidents that impair information security and agency information systems;
- Developing, maintaining and overseeing an agencywide information security program;
- Developing, maintaining and overseeing information security policies, procedures and control techniques to address all applicable requirements;
- Training and overseeing personnel with significant responsibilities for information security;
- Assisting senior agency officials on cybersecurity matters;
- Ensuring the agency has a sufficient number of trained and security-cleared personnel to assist in complying with federal cybersecurity law and procedures;
- Reporting at least annually to agency executives the effectiveness of the agency information security program; information derived from automated and continuous monitoring, including threat assessments; and progress on actions to remediate threats.
The bill would require that CISOs possess the necessary qualifications, including education, training, experience and the security clearance needed to do the job.
Creation of a Federal Information Security Incident Center
If enacted, the bill would create a federal information security incident center to provide timely technical assistance to operators of agency information systems regarding security incidents; compile and analyze information about incidents that threaten information security; inform operators of agency information systems about current and potential information security threats and vulnerabilities; and consult with the National Institute of Standards and Technology, agencies or offices operating or exercising control of national security systems regarding information security incidents and related matters.
The legislation also would give the director of the White House Office of Management and Budget the authority to oversee the development and implementation of policies, principles, standards and guidelines on information security as well as oversee the operations of a federal information security incident center.
The Obama administration has been shifting much of the responsibility of overseeing civilian agency IT security to the Department of Homeland Security. This bill does not grant any additional authorities to DHS, although it would not preclude OMB to do just that as long as the OMB director retains final authority.
Sen. Tom Carper, the Delaware Democrat who chairs the Senate Homeland Security and Governmental Affairs Committee, has promised that his panel will draft a FISMA reform measure, but it is unclear whether it would be in the form of a standalone bill or part of a more comprehensive cybersecurity legislative package.