Computer security law may come under Hill scrutiny

The federal law governing information security policies at agencies could come under scrutiny during a House subcommittee hearing Wednesday that will focus on cybersecurity incidents at the Homeland Security Department.

The House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology is scheduled to hear testimony from DHS Chief Information Officer Scott Charbo and the Government Accountability Office. While the hearing will focus on DHS, industry and congressional sources have indicated that a broader discussion of the 2002 Federal Information Security Management Act is likely to arise.

Despite its status as the nation's security agency, DHS has not been a model of computer security law compliance. In April, the department received a D grade on an annual congressional report card measuring how well agencies follow FISMA. The department flunked the previous year.

In a statement Tuesday, Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said Congress has "to turn FISMA away from a paper exercise." He said that optimal security policies would require agencies to monitor networks, test penetration, complete forensic analyses and mitigate vulnerabilities.

"Though FISMA brought much needed attention to federal information security, agencies can still receive high grades for compliance and be insecure," Thompson said. "Implementing those efforts will mean better security on our networks, and that's the next step the federal government needs to take."

Thompson is expected to attend the hearing and give an opening statement.

In April, Donald Reid, senior coordinator for security infrastructure at the State Department's Bureau of Diplomatic Security, told the subcommittee that FISMA does not "tell the whole story" when it comes to agencies' information security practices.

"Our ability to detect and respond to intrusions . . . nowhere is that measured in FISMA," Reid said. "It's a great baseline log, but we clearly have more work to do."

Another criticism of FISMA is that compliance is measured based on reports produced by agencies, rather than independent auditors. Such a setup does little to hold agencies accountable for instituting proper security, according to critics.

Rep. Tom Davis, R-Va., who issues the annual report card on FISMA compliance and serves on the Homeland Security Committee, said in a statement that he expects Wednesday's hearing to involve "the usual suspects with complaints: failing agencies, those who misunderstand what the act was designed to do and those who fail to recognize what it has accomplished" in making IT security a priority at federal agencies.

"Certainly, we want to avoid a 'check the box' mentality," Davis said. "We need to incentivize strong information protection policies and pursue a goal of security rather than compliance. The FISMA process is a good one, but we'll always ask if we can make it better."

Davis said additional work is needed in developing effective security plans and establishing milestones to measure implementation progress.

"More improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities," Davis said. "We continue to meet with public and private stakeholders searching for other ideas for what might be most effective."

Wednesday's hearing is expected to focus on questions stemming from specific incidents on DHS networks such as hacking, classified leaks, unauthorized use by contractors and computer viruses.

GAO has been asked to describe findings on an unnamed DHS network that is "riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure," according to a hearing briefing document.

The department's efforts to consolidate its computer networks under one roof also are likely to enter into the discussion, as are questions about "the lack of IT security funding" at DHS, the document indicates.

The committee sent Charbo letters on April 30 and May 31 that indicate the panel already has taken up its own investigation of the department's IT security, asking more than 25 questions over the course of two months about the status of the department's network security.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • GBC Issue Brief: The Future of 9-1-1

    A Look Into the Next Generation of Emergency Services

  • GBC Survey Report: Securing the Perimeters

    A candid survey on cybersecurity in state and local governments

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

  • eBook: State & Local Cybersecurity

    CenturyLink is committed to helping state and local governments meet their cybersecurity challenges. Towards that end, CenturyLink commissioned a study from the Government Business Council that looked at the perceptions, attitudes and experiences of state and local leaders around the cybersecurity issue. The results were surprising in a number of ways. Learn more about their findings and the ways in which state and local governments can combat cybersecurity threats with this eBook.


When you download a report, your information may be shared with the underwriters of that document.