House committee pushes changes to IT security law

The House Veterans' Affairs Committee is seeking a substantial change in the law governing agency information security, which would give chief information officers new leverage in the struggle for information technology authority.

Critics of the 2002 Federal Information Security Management Act maintain that the law fails to give CIOs sufficient enforcement powers.

The 2006 Veterans Identity and Credit Security Act (H.R.5835) would, among other things, add a clause to the law giving CIOs authority to enforce information security "to the extent determined necessary and explicitly authorized by the head of the agency."

While changes to FISMA would typically come under the purview of the House Government Reform Committee, the panel's chairman, Rep. Tom Davis, R-Va., waived jurisdiction to the Veterans' Affairs committee, which held a series of hearings on the department's early May data breach. The committee approved the legislation, introduced by its chairman, Rep. Steve Buyer, R-Ind., last week.

Davis has proposed his own legislation (H.R. 5838) that is nearly identical to the section of Buyer's bill dealing with cybersecurity.

The Buyer legislation could go to the full House for a vote as early as Wednesday, contingent upon the completion of a Congressional Budget Office analysis, congressional sources said. Buyer has indicated that otherwise, the bill will not be voted on until September.

Previous attempts by Buyer to centralize the VA's management of IT have been well received in the House, but stymied in the Senate Veterans' Affairs Committee, which is chaired by Sen. Larry Craig, R-Idaho.

Paul Kurtz, director of the Cyber Security Industry Alliance, said the proposed change to FISMA is a step in the right direction. "CIOs have had the entire burden of securing an infrastructure but little of the enforcement power….If we are going to get serious about securing government information infrastructure, you have to have authority and accountability given to those who are in charge."

While nothing prevents an agency head from giving the CIO authority to enforce cybersecurity policies, they often do not, said Marcus Sachs, deputy director in SRI International's Computer Science Laboratory and former cyber program director at the Homeland Security Department.

Pressure from agency undersecretaries who do not want to surrender power to IT departments, backed by agency legal opinions, have thwarted attempts to centralize enforcement authority for IT security, sources said. CIOs have then been left in situations where they can only issue recommendations in an attempt to ensure compliance with FISMA.

"The CIOs and CISOs are very frustrated," Sachs said. "By putting it into FISMA, it gives the CIO a bigger stick."

The public hearings drawing attention to the battle between the VA CIO and agency officials who oppose centralization of IT highlighted a scenario that plays out repeatedly in other agencies, sources said.

Sachs said the success of the proposed change will depend on the bill's final wording. "If it comes out with a lot of wiggle room, then [agency] general counsels are going to have a lot of room for interpretation … but if you put in heavy wording, there is danger that [the legislators] could get the words wrong."

Bruce Brody, vice president for information security at the Reston, Va.-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, said he is "underwhelmed" by the legislation's terminology. The language amounts to only about 10 percent of the changes that are necessary to make FISMA effective, he said.

Another FISMA critic, Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, said he is optimistic that the proposed change will prompt agency heads to "at least consider making the CIOs responsible for enforcement" of IT security.