Senate to weigh agencies' info security practices

The effectiveness of the Federal Information Security Management Act, intended to improve data security across the federal government, will be questioned at a Senate hearing Wednesday.

The effectiveness of a 6-year-old law intended to improve data security across the federal government will be questioned at a Senate Homeland Security and Governmental Affairs Federal Financial Management Subcommittee hearing Wednesday. The event comes on the heels of an annual report to Congress by the Office of Management and Budget that showed progress by some agencies.

Comment on this article in the forum.Although the Federal Information Security Management Act was a positive step at the time, policymakers still cannot accurately say whether or not federal computer networks are secure, according to the subcommittee's hearing notice.

Karen Evans, OMB's e-government administrator, and officials from the Government Accountability Office, the State and Veterans Affairs departments, the U.S. Agency for International Development and the Nuclear Regulatory Commission will testify. The VA, which suffered a massive breach in 2006, ranked poorly last year in several areas of FISMA analysis. USAID ranked high on the list.

The departments of State, Treasury and Defense as well as NASA reported notable progress in meeting key security measures in 2007, the March 1 report to Congress said. The document said the number of incidents reported by agencies continues to fluctuate from the prior year and continues to differ from statistics provided by the U.S. Computer Emergency Readiness Team.

In fiscal 2007, 92 percent of all government agencies operated with complete certification and authentication of systems and 86 percent had tested contingency plans in the event of an information leak. OMB said 95 percent of all systems operate with security controls tested within the last year.

Of systems requiring a privacy impact assessment, 84 percent met the public posting mandate to ensure that agencies consider potential privacy concerns and incorporate mitigating measures into planning processes. Additionally, 83 percent of systems requiring a system of records notice met their requirement to let the public comment on the use and disclosure of individual records.

Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization, said the administration's FISMA reports are deceiving because the National Institutes of Standards and Technology -- not OMB -- is charged with establishing benchmarks. NIST guidelines are too broad and the audits are a waste of money, he said.

"NIST is the reason FISMA doesn't work," Paller said. "Karen has run IT systems and knows what it takes to secure them. The people at NIST, if they ever ran IT systems, it's been decades."