Measure would require agencies to appoint chief information security officers

Two lawmakers introduced a bill on Thursday to strengthen federal cybersecurity efforts and elevate the importance of chief information security officers throughout the government.

Comment on this article in The Forum.Sens. Tom Carper, D-Del., and Joseph Lieberman, I-Conn., introduced the measure, known as the 2008 Federal Information Security Management Act (S.3474). They announced they were crafting the measure in August. The bill requires agencies to appoint a qualified chief information security officer who would report to the chief information officer and would be responsible for monitoring, detecting and responding to cybersecurity threats.

"Our bill empowers chief information security officers to deny access to the agency network if proper security policies are not being followed. If we are going to hold these hardworking individuals accountable in Congress for information security, then we should give them the authority to do so," said Carper.

"I certainly welcome the additional attention to cybersecurity that the bill gives," said Bruce McConnell, former chief of information and technology policy at the Office of Management and Budget who currently runs the consulting firm McConnell International. "I think it's important to strengthen the role of CISOs. I think it will give them more visibility."

The bill also requires agencies to strengthen information security requirements in contracts with private vendors. "No longer should agencies and Congress have to clean up a security mess after an incident has already happened. Instead, we need to start focusing on purchasing more secure services and products that will help prevent these intrusions from happening in the first place," Carper said.

The bill requires the Homeland Security Department to conduct annual evaluations to determine whether hackers or enemy states can gain access to sensitive government information. He compared such testing to the type of red team security tests that currently take place at nuclear facilities and military bases, saying the results should give agency leaders and Congress a better picture of where weaknesses are.

"I am concerned that, five years after the passage of FISMA, agencies may have fallen into the trap of complacency and are just checking boxes to show compliance with requirements written into a bill," Carper said.

McConnell was not convinced the new bill would solve that problem, however. "I think the bill still doesn't reduce the current overemphasis on compliance. It may in fact increase it," he said. He called the compliance focus "endemic in computer security culture, not just the government."

"Part of the problem is there are no well-established metrics for what constitutes good security," he said. "The temptation is to substitute process or procedural check boxes. It would be better to spend less time on box checking and more time on developing real metrics. I am concerned that the law in this area continues to be made on an incremental basis. Perhaps in the next Congress we can look at a more comprehensive approach."

The bill calls for the creation of a CISO Council, where senior officials would meet to discuss threats to cybersecurity. The council would be chaired by the director of the National Cybersecurity Center, who would work closely with OMB. McConnell called that organizational approach "very innovative."