Data breaches raise more questions about computer security law

Recently reported breaches compromising sensitive data held by four agencies have officials looking at ways to improve federal information security laws.

Security experts and former government officials started pointing fingers at alleged weaknesses in the 2002 Federal Information Security Act earlier this year. In recent interviews, some said they believe that the incidents could lead to changes in the law.

Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, called the compromise of personnel records of 1,500 Energy Department employees revealed last week, combined with last month's theft of personal data on 26.5 million people from a Veterans Affairs Department employee's home, "an indictment of FISMA."

In two unrelated incidents, laptop computers containing the personal information -- including Social Security numbers, birthdates and names -- of about 200 employees at the Social Security Administration and the Internal Revenue Service were lost recently.

FISMA requires agencies to identity and categorize risks to their information technology systems and then implement security controls based on those risks.

Paller said agencies are using their technology security funds to pay independent contractors to write FISMA-required reports as part of the certification and accreditation process, leaving little money for implementing actual security measures. A certification and accreditation process is necessary, but it should be continuous and automated, Paller said.

"There was a thought that to check security, you had to check with people and talk to people, but because most attacks are done by systems, you need systems to check the security," Paller said. "The VA spent tens of millions of dollars certifying and accrediting these systems, and they are not secure."

A VA spokesman said that the agency received $77 million for information security in fiscal 2006 and $78 million has been proposed for fiscal 2007.

Paller and Bruce Brody, vice president for information security at the Reston, Va-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, have been critical of FISMA in the past, and both met with staffers from the House Government Reform Committee recently to discuss possible changes to the law.

Brody, who also served as chief information security officer at the Energy Department until December 2005, said that the Energy security breach occurred during his tenure at the agency, but within the National Nuclear Security Administration, which is autonomous from the department under the National Nuclear Security Act.

Paller said he believes that effective reform is possible, but Brody said the policy and legislative communities are unlikely to get the changes right unless information security practitioners are involved.

Clay Johnson, the Office of Management and Budget's deputy director for management, said last week OMB has 95 percent of the laws and policies it needs to hold agencies accountable for locking down their information systems, but "extra teeth" may be needed. He did not specifically refer to FISMA.

Johnson said in testimony before the House Government Reform Committee that the administration believes it generally has good policies and laws for protecting data, but is "prepared to take more action as necessary."

In a request for comment on the matter, OMB gave no indication that changes to FISMA are being considered.

OMB spokeswoman Andrea Wuebker said that FISMA was established to ensure that agencies meet consistent standards for security requirements for information systems. Agencies are responsible for ensuring that they are FISMA compliant and that their employees are trained to work with tough security measures, Wuebker said.

"Sound standards and policies are in place, and OMB works with agencies to make sure practices match these policies," Wuebker said.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care


When you download a report, your information may be shared with the underwriters of that document.