Group items tagged

Legislation to reform the Federal Information Security Management Act of 2002 will be introduced in the Senate on Tuesday, a Senate staffer who helped draft the bill told a panel at the RSA Conference in San Francisco on Thursday. Erik Hopkins' presentation provided further evidence that the White House could assume greater control in coordinating federal government security. In the panel - The New FISMA: Security Finally Transcends Compliance - Hopkins offered a diagram illustrating the bill that showed a cyber office reporting directly to the president. Hopkins, who works for the Senate Committee on Homeland Security and Governmental Affairs, was the third federal official addressing conference attendees to suggest the White House will be given more authority in safeguarding federal government information systems. On Wednesday, Obama administration cybersecurity advisor Melissa Hathaway - who last week submitted to the president an assessment of federal cybersecurity policy - said the White House must lead federal government cybersecurity efforts. A day before, National Security Agency Director Keith Alexander said NSA would not lead the nation's cybersecurity efforts, suggesting a greater role for the White House. Hopkins said the benefits of FISMA reform includes improved coordination of security efforts, better economies of scale and greater situational awareness of security threats such as knowing where they originate and how the government will respond.

Reform legislation is expected to be introduced this spring to update the Federal Information Security and Management Act, known as FISMA. A major complaint about FISMA is that complying with its rules does not necessarily guarantee departmental and agency information systems are secure. In this exclusive interview, Sen. Tom Carper, chairman of the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, discusses: Key provisions in the bill to improve ways to measure and determine the security of federal government information systems; Efforts to create a government-wide Chief Information Security Officer Council; His views on the most pressing cybersecurity challenges facing the nation: identity theft and the viability of financial institutions and threats by foreign nations to federal information systems.

Securing our Nation against cyber attacks has become one of the Nation's highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against external attacks. Furthermore, for those external attacks that are successful, defenses must be capable of thwarting, detecting, and responding to follow-on attacks on internal networks as attackers spread inside a compromised network. A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that 'offense must inform defense'. In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008.

Twenty-three of the 24 major U.S. government agencies contain weaknesses in their information security programs, potentially placing sensitive data at risk to exposure, according to a government report issued this week. The U.S. Government Accountability Office (GAO) studied how the agencies were responding to the regulations described in the Federal Information Security Management Act of 2002 (FISMA). The mandate requires government entities to develop and implement an agencywide information security program. Inspectors general conduct annual reviews of agency progress. The GAO review, which took place between last December and this month, concluded that, partly based on inspectors general and federal Office of Management and Budget (OMB) reports, that 23 of 24 agencies contain lax controls to ensure that only approved users can access system data. Meanwhile, 22 of 24 agencies described information security as a "major management challenge," according to the report.

Weak security policies and practices in nearly all 24 major federal agencies in 2008 have resulted in exposing personally identifiable information of Americans, according to a new report from the Government Accountability Office (GAO). "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," according to the GAO report, issued Monday. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise." Federal agencies have reported some progress, providing awareness training for employees and testing system contingency plans, the GAO said. Still, employees with significant security responsibilities are not getting enough security training and known vulnerabilities remain wide open. The GAO conducts a periodic review of information security policies and procedures at federal agencies. Inspectors general review agency conformity to the Federal Information Security Management Act of 2002 (FISMA) and report their findings to Congress.