FISMA reform rides on defense spending's coattails

The House has passed measures under the 2011 Defense Authorization spending bill to upgrade federal cybersecurity by improving the eight-year-old Federal Information Security Management Act (FISMA).

The cybersecurity-oriented amendment passed May 28 also pursues several other ways to streamline compliance and effective security.

Provisions that support FISMA reform include establishing a White House director for cyberspace and a federal cybersecurity practice board, both of which would help develop, update and implement federal cybersecurity guidelines and measures. That office and oversight board would also administer FISMA requirements and compliance, and be responsible for cybersecurity budgets and governmentwide coordination.

Although the White House cybersecurity office would have the authority to review civilian agencies’ information technology security budgets, it would be able only to make recommendations and could not issue orders. Also, the Defense Department and Central Intelligence Agency would be exempt from the White House office’s oversight.

Congressional moves to beef up federal cybersecurity come after years of complaints that FISMA’s goal of improving government network security is overshadowed by its paperwork-laden, procedural requirements.

In testimony in April on Capitol Hill, federal Chief Information Officer Vivek Kundra acknowledged that FISMA has lagged in truly improving federal IT security. “The FISMA measures reported on annually have led agencies to focus on compliance. However, we will never get to security through compliance alone,” he said.

Howard Schmidt, White House cybersecurity coordinator, said, “You can be compliant with FISMA but still not secure.” Schmidt added that he is working with Kundra and Office of Management and Budget Director Peter Orszag to make improvements. “We’re looking at turning that around so when you become secure, you become compliant,” Schmidt said at the U.S. Strategic Command Cyber Symposium in Omaha on May 28.

Reforming FISMA is just one of several parts of the defense spending bill amendment targeting security of government information systems.

Under the amendment, federal agencies would be required to start programs that continuously and automatically monitor their computer networks for cyber threats, and agencies would need to obtain annual, independent audits of in-house information security programs.

Government IT contractors and subcontractors would also face independent audits, and their contracts would include cybersecurity standards at inception. Those standards would be developed by the White House cybersecurity director’s office in conjunction with the National Institutes of Standards of Technology and the General Services Administration.

The amendment also calls for a White House office for the government’s chief technology officer.