Reform bill is just the start of improving information security

Support is building for measures that would reform the primary information security law governing how agencies protect their networks and data, but the changes will not be a solution to protect government systems, a panel of security professionals said on Tuesday.

"There's a lot of support [for security reform] on both sides of the aisle," said Erik Hopkins, a congressional aide with the Senate Homeland Security and Governmental Affairs Committee. "But it's one small piece of a larger puzzle. More change is coming."

In April, Sen. Tom Carper, D-Del., introduced the U.S. Information and Communications Enhancement Act to reform the 2002 Federal Information Security Management Act. The bill would require continuous monitoring of networks, give chief information officers and chief information security officers more control over technology budgets, and shut down systems that don't comply with security standards.

Hopkins said the bill's biggest change would be greater accountability. The bill has yet to be voted on in the Senate or House, but Congress is likely to introduce more security measures to contribute to "more comprehensive cybersecurity legislation," he said.

In addition to reforming FISMA, the government must define standards that guide how agencies follow information security processes and that provide technology vendors a single baseline from which to develop products, said Tony Sager, chief of the vulnerability analysis and operations group within the National Security Agency's information assurance directorate.

"If we leave it as 'You're responsible for good security,' that doesn't help anyone," he said. "What constitutes good behavior? We need to think of this as a bigger problem than the government can independently solve. We need to enlist the market and standards community [to develop] common approaches."

A decade ago, security was a monopoly for the U.S. government, Saber said. The defense and intelligence community defined the problem, and if they didn't like the risk associated with a piece of technology, "we'd design it away."

But now government recognizes information security is not just a technology problem, and the public and private sectors must work together to understand the threats and to develop standards to best protect sensitive information.

"There is no individual item worth falling on your sword for," Saber said. Individual agencies could decide to manage information security differently, based on the sensitivity of their systems and data, but the core security controls should be consistent across government.

The National Institute of Standards and Technology announced last week the third revision of Special Publication 800-53 -- "Recommended Security Controls for Federal Information Systems and Organizations" -- which for the first time includes security controls for both national security and non-national security networks. NIST also is working to update other publications that will support security standardization.

It's unclear how legislation and the NIST guidelines, which are meant to support agencies' compliance with FISMA, will fit into the Obama administration's plan for cybersecurity, Hopkins said.

"The administration has not showed its cards on who's going to be responsible for FISMA" and enforcing compliance with other information security standards, he said. "I think you'll more than likely see a whole cyber agency that doesn't just focus on security, but also on the economics to [ensure] this a competitive environment" for industry.