Lawmakers have introduced bills that would amend the Federal Information Security Management Act to improve security, despite the insistence of Office of Management and Budget officials that no additional legislation is necessary.
Karen Evans, OMB’s administrator for e-government and information technology, testified June 7 that FISMA did not require additional legislation, but she said updated guidance from the National Institute of Standards and Technology would help agencies meet the act’s goals.
Evans told members of two subcommittees of the House Oversight and Government Reform Committee that agencies need to do more than fill out paperwork.
But at least one senator wasn’t willing to wait for the NIST guidance. The day of the House hearing, Sen. Norm Coleman (R-Minn.) introduced a bill to amend FISMA, giving OMB more power to define information security standards and expand the definition of sensitive and personally identifiable information.
“This is about government accountability and our responsibility to protect the integrity of the public’s information and not put our citizens at risk of identity theft,” Coleman said in a statement.
In his bill, the definition of sensitive personal information would expand beyond name, Social Security number, date and place of birth, and biometric records to include employment history, financial transactions and medical history.
Coleman’s legislation is a companion measure to a bill introduced by Rep. Tom Davis (R-Va.), the author of FISMA.
Davis’ bill, unveiled May 3, would require agencies to devise practices and standards for data breach notifications and would amend FISMA to give chief information officers authority to enforce IT security.
Agencies implement FISMA through OMB directives that require them to adopt risk-based information security management policies and procedures. Agencies receive graded scores in an annual report card format.
Government officials and industry leaders have long complained that FISMA compliance is a paperwork exercise focused on documentation rather than real-time security monitoring.
Evans testified that agencies can follow FISMA to the letter of the law and still be insecure — as some critics of OMB’s FISMA policies have charged. Gregory Wilshusen, director of information security issues at the Government Accountability Office, agreed with Evans that uneven implementation and evaluation of information systems security could be FISMA’s greatest weakness.
Wilshusen added that the quality of agencies’ testing and evaluation methods also varied greatly, and he recommended creating a common framework to gather evidence more efficiently.
GAO is examining OMB’s performance measures and will release a report on FISMA later this year, he said.
Many agency officials agree that FISMA could be more effective. Vance Hitch, the Justice Department’s chief information officer, said he wanted Justice to move beyond identifying vulnerabilities and toward a more operational focus on information systems security.
