Bill would reform cybersecurity management

Legislation introduced Wednesday by Rep. Tom Davis, R-Va., would reform the way cybersecurity is managed in federal agencies. The bill would also strengthen the National Institute of Standards and Technology's role in creating security standards for federal agencies.

The Federal Information Security Management Act, H.R. 3844, would make the 2000 Government Information Security Reform Act permanent. GISRA required agencies and their inspectors general to conduct program reviews and audits of information security practices and to submit their results to OMB. OMB sent its overview of the security gaps agencies reported to Congress on Feb.13. OMB is now working with agencies to ensure that the weaknesses exposed in the reports are fixed. FISMA would make this a yearly process.

FISMA also increases NIST's role in creating cybersecurity standards for the federal government. A spokesman for Davis said the 1987 Computer Security Act and GISRA allow agencies to obtain waivers, effectively freeing them from following NIST's recommendations. FISMA would require agencies to follow NIST's cybersecurity guidance without exception.

In testimony before the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental relations Wednesday, Davis stressed that governmentwide IT initiatives such as electronic procurement, telecommuting, information sharing and e-government are all vulnerable to cybersecurity threats. Since these initiatives are vital to strengthening the federal government's performance, cybersecurity protections must become institutionalized, he said.

"[My] concerns regarding the pervasive and persistent weaknesses in federal information security management, infrastructure and accountability remain strong," he said.