Computer security law may come under Hill scrutiny

The federal law governing information security policies at agencies could come under scrutiny during a House subcommittee hearing Wednesday that will focus on cybersecurity incidents at the Homeland Security Department.

The House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology is scheduled to hear testimony from DHS Chief Information Officer Scott Charbo and the Government Accountability Office. While the hearing will focus on DHS, industry and congressional sources have indicated that a broader discussion of the 2002 Federal Information Security Management Act is likely to arise.

Despite its status as the nation's security agency, DHS has not been a model of computer security law compliance. In April, the department received a D grade on an annual congressional report card measuring how well agencies follow FISMA. The department flunked the previous year.

In a statement Tuesday, Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said Congress has "to turn FISMA away from a paper exercise." He said that optimal security policies would require agencies to monitor networks, test penetration, complete forensic analyses and mitigate vulnerabilities.

"Though FISMA brought much needed attention to federal information security, agencies can still receive high grades for compliance and be insecure," Thompson said. "Implementing those efforts will mean better security on our networks, and that's the next step the federal government needs to take."

Thompson is expected to attend the hearing and give an opening statement.

In April, Donald Reid, senior coordinator for security infrastructure at the State Department's Bureau of Diplomatic Security, told the subcommittee that FISMA does not "tell the whole story" when it comes to agencies' information security practices.

"Our ability to detect and respond to intrusions . . . nowhere is that measured in FISMA," Reid said. "It's a great baseline log, but we clearly have more work to do."

Another criticism of FISMA is that compliance is measured based on reports produced by agencies, rather than independent auditors. Such a setup does little to hold agencies accountable for instituting proper security, according to critics.

Rep. Tom Davis, R-Va., who issues the annual report card on FISMA compliance and serves on the Homeland Security Committee, said in a statement that he expects Wednesday's hearing to involve "the usual suspects with complaints: failing agencies, those who misunderstand what the act was designed to do and those who fail to recognize what it has accomplished" in making IT security a priority at federal agencies.

"Certainly, we want to avoid a 'check the box' mentality," Davis said. "We need to incentivize strong information protection policies and pursue a goal of security rather than compliance. The FISMA process is a good one, but we'll always ask if we can make it better."

Davis said additional work is needed in developing effective security plans and establishing milestones to measure implementation progress.

"More improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities," Davis said. "We continue to meet with public and private stakeholders searching for other ideas for what might be most effective."

Wednesday's hearing is expected to focus on questions stemming from specific incidents on DHS networks such as hacking, classified leaks, unauthorized use by contractors and computer viruses.

GAO has been asked to describe findings on an unnamed DHS network that is "riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure," according to a hearing briefing document.

The department's efforts to consolidate its computer networks under one roof also are likely to enter into the discussion, as are questions about "the lack of IT security funding" at DHS, the document indicates.

The committee sent Charbo letters on April 30 and May 31 that indicate the panel already has taken up its own investigation of the department's IT security, asking more than 25 questions over the course of two months about the status of the department's network security.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.