Data breaches raise more questions about computer security law

Recently reported breaches compromising sensitive data held by four agencies have officials looking at ways to improve federal information security laws.

Security experts and former government officials started pointing fingers at alleged weaknesses in the 2002 Federal Information Security Act earlier this year. In recent interviews, some said they believe that the incidents could lead to changes in the law.

Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, called the compromise of personnel records of 1,500 Energy Department employees revealed last week, combined with last month's theft of personal data on 26.5 million people from a Veterans Affairs Department employee's home, "an indictment of FISMA."

In two unrelated incidents, laptop computers containing the personal information -- including Social Security numbers, birthdates and names -- of about 200 employees at the Social Security Administration and the Internal Revenue Service were lost recently.

FISMA requires agencies to identity and categorize risks to their information technology systems and then implement security controls based on those risks.

Paller said agencies are using their technology security funds to pay independent contractors to write FISMA-required reports as part of the certification and accreditation process, leaving little money for implementing actual security measures. A certification and accreditation process is necessary, but it should be continuous and automated, Paller said.

"There was a thought that to check security, you had to check with people and talk to people, but because most attacks are done by systems, you need systems to check the security," Paller said. "The VA spent tens of millions of dollars certifying and accrediting these systems, and they are not secure."

A VA spokesman said that the agency received $77 million for information security in fiscal 2006 and $78 million has been proposed for fiscal 2007.

Paller and Bruce Brody, vice president for information security at the Reston, Va-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, have been critical of FISMA in the past, and both met with staffers from the House Government Reform Committee recently to discuss possible changes to the law.

Brody, who also served as chief information security officer at the Energy Department until December 2005, said that the Energy security breach occurred during his tenure at the agency, but within the National Nuclear Security Administration, which is autonomous from the department under the National Nuclear Security Act.

Paller said he believes that effective reform is possible, but Brody said the policy and legislative communities are unlikely to get the changes right unless information security practitioners are involved.

Clay Johnson, the Office of Management and Budget's deputy director for management, said last week OMB has 95 percent of the laws and policies it needs to hold agencies accountable for locking down their information systems, but "extra teeth" may be needed. He did not specifically refer to FISMA.

Johnson said in testimony before the House Government Reform Committee that the administration believes it generally has good policies and laws for protecting data, but is "prepared to take more action as necessary."

In a request for comment on the matter, OMB gave no indication that changes to FISMA are being considered.

OMB spokeswoman Andrea Wuebker said that FISMA was established to ensure that agencies meet consistent standards for security requirements for information systems. Agencies are responsible for ensuring that they are FISMA compliant and that their employees are trained to work with tough security measures, Wuebker said.

"Sound standards and policies are in place, and OMB works with agencies to make sure practices match these policies," Wuebker said.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.