Computer security law may come under Hill scrutiny

The federal law governing information security policies at agencies could come under scrutiny during a House subcommittee hearing Wednesday that will focus on cybersecurity incidents at the Homeland Security Department.

The House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology is scheduled to hear testimony from DHS Chief Information Officer Scott Charbo and the Government Accountability Office. While the hearing will focus on DHS, industry and congressional sources have indicated that a broader discussion of the 2002 Federal Information Security Management Act is likely to arise.

Despite its status as the nation's security agency, DHS has not been a model of computer security law compliance. In April, the department received a D grade on an annual congressional report card measuring how well agencies follow FISMA. The department flunked the previous year.

In a statement Tuesday, Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said Congress has "to turn FISMA away from a paper exercise." He said that optimal security policies would require agencies to monitor networks, test penetration, complete forensic analyses and mitigate vulnerabilities.

"Though FISMA brought much needed attention to federal information security, agencies can still receive high grades for compliance and be insecure," Thompson said. "Implementing those efforts will mean better security on our networks, and that's the next step the federal government needs to take."

Thompson is expected to attend the hearing and give an opening statement.

In April, Donald Reid, senior coordinator for security infrastructure at the State Department's Bureau of Diplomatic Security, told the subcommittee that FISMA does not "tell the whole story" when it comes to agencies' information security practices.

"Our ability to detect and respond to intrusions . . . nowhere is that measured in FISMA," Reid said. "It's a great baseline log, but we clearly have more work to do."

Another criticism of FISMA is that compliance is measured based on reports produced by agencies, rather than independent auditors. Such a setup does little to hold agencies accountable for instituting proper security, according to critics.

Rep. Tom Davis, R-Va., who issues the annual report card on FISMA compliance and serves on the Homeland Security Committee, said in a statement that he expects Wednesday's hearing to involve "the usual suspects with complaints: failing agencies, those who misunderstand what the act was designed to do and those who fail to recognize what it has accomplished" in making IT security a priority at federal agencies.

"Certainly, we want to avoid a 'check the box' mentality," Davis said. "We need to incentivize strong information protection policies and pursue a goal of security rather than compliance. The FISMA process is a good one, but we'll always ask if we can make it better."

Davis said additional work is needed in developing effective security plans and establishing milestones to measure implementation progress.

"More improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities," Davis said. "We continue to meet with public and private stakeholders searching for other ideas for what might be most effective."

Wednesday's hearing is expected to focus on questions stemming from specific incidents on DHS networks such as hacking, classified leaks, unauthorized use by contractors and computer viruses.

GAO has been asked to describe findings on an unnamed DHS network that is "riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure," according to a hearing briefing document.

The department's efforts to consolidate its computer networks under one roof also are likely to enter into the discussion, as are questions about "the lack of IT security funding" at DHS, the document indicates.

The committee sent Charbo letters on April 30 and May 31 that indicate the panel already has taken up its own investigation of the department's IT security, asking more than 25 questions over the course of two months about the status of the department's network security.