A bill to update the Federal Information Security Management Act,...
A bill to update the Federal Information Security Management Act, enacted in 2002, didn’t move Wednesday in the Senate Homeland Security and Governmental Affairs Committee, which lacked a quorum. But the six senators who showed up defeated an amendment…
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
by Tom Coburn, R-Okla., that would have stripped a provision creating a new council of agency chief information security officers. Sponsor Tom Carper, D-Del., said a string of breaches at U.S. agencies, hacking attempts by foreign states and even “pranksters who are trying to create some mischief” demand a FISMA update. “What we did then was frankly not successful and not sufficient,” since many agencies now can’t even say what data they hold, he said: “Those of us here in Congress have little idea whether our work [in 2002] has made agencies any more secure.” S- 3474, also titled FISMA, would require agencies to designate chief information security officers, or CISOs, barred from serving simultaneously as chief information officers. CIOs and CISOs would report jointly on network security in quarterly filings to the U.S. Computer Emergency Readiness Team at the Department of Homeland Security. The bill would authorize CISOs to deny network access to users not following security policies. The bill would create a CISO Council, similar to the existing CIO Council, also including representatives from OMB, Office of the Director of National Intelligence, each military branch, US-CERT, U.S. Strategic Command and other relevant agencies. The council would be led by the National Cyber Security Center and OMB. DHS would have to evaluate each agency’s network security, reporting yearly to Congress on their performance. OMB and the National Institute of Standards and Technology would have to issue network-security regulations applying to any entity contracting with federal agencies. The CISO council provision is duplicative, Coburn said: “Creating another council means that we're not going to hold the council we have now accountable.” Agencies already can create CISO positions or a new council, though OMB has said a CISO Council isn’t necessary, he added: “What we ought to be saying is ‘Do your job.'” Carper said CIOs’ duties, such as procurement and IT workforce improvement, differ dramatically from those of CISOs. Previously, as Delaware’s governor, he created councils for family services and land use that met with him monthly, so they would “stop working through stovepipes,” he said. Carper and Coburn disagreed whether a CISO Council would cost any money.